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DIA  SUPPORT  TO  INFORMATION 
OPERATIONS 


The  Defense  Intelligence  Agency 
(DIA)  has  demonstrated  its  commitment 
to  information  warfare  by  establishing 
the  DIA  Information  Warfare  Support 
Office.  Its  mission  is: 

•  To  produce  integrated  all-source 
intelligence  supporting  U.S.  offensive 
and  defensive  Information  Opera¬ 
tions  (10)  plans  and  operations; 

•  Identify  and  analyze  the  10  threat 
potential  and  capabilities  of  foreign 
nations,  transnational  groups,  or 
coalitions;  and 

•  Develop  detailed  intelligence  analy¬ 
sis  of: 

-  Foreign  leadership  operations  and 
decisionmaking  processes; 

-  Information  technologies,  sys¬ 
tems,  and  networks;  and 


EM 


-  Denial  and 

deception  programs. 

The  Information  Warfare  Support 
Office  is  made  up  of  four  divisions: 

Special  Activities,  Intelligence 
Preparation  of  the  Battlespace, 
Threat  Analysis,  and  Foreign  Denial 
and  Deception. 

The  Special  Activities  Division 

serves  four  principal  customers:  the 
Unified  Commands,  the  Services,  the 
Joint  Staff,  and  the  intelligence  commu¬ 
nity.  For  the  Unified  Commands,  the 
division  provides  intelligence  support  to 
OPLAN/CONPLAN  information  warfare 
annex  development  and  provides 
tailored  support  to  Special  Technical 
Operations  planning. 

The  Special  Activities  Division  also 


1st  Annual  Information  Assurance  Red  Team 
Williamsburg,  VA  on  August  1 3  -  1 4,  1 997 


The  Defense  Information  Systems 
Agency  and  the  Joint  Staff  (J6K)  an¬ 
nounce  the  1st  Annual  Information 
Assurance  (IA)  Red  Team  Assessment 
Workshop  to  be  held  August  13-14, 
1997,  at  the  Fort  Magruder  Inn 
(classified  sessions  at  Fort  Eustis), 
Williamsburg,  Virginia,  under  the  aus¬ 
pices  and  sponsorship  of  the  Defense 
Information  Systems  Agency  and  the 
Joint  Staff  (J6K)  Information  Assurance 
Division. 

The  workshop  is  classified  SECRET/ 
US  GOVERNMENT  ONLY  and  provides 
an  opportunity  for  participants  in  IA  Red 
Team  Assessments  to  provide  input 
from  their  research  and  experiences  and 


identify  what  they  can  provide  to  miti¬ 
gate  the  IA  threat. 

This  Workshop  is  intended  to  provide 
a  forum  for  the  discussion,  interchange, 
and  debate  of  accomplishments,  discov¬ 
eries,  and  issues  in  the  IA  area.  It  is 
significant  because  of  recent  progress 
made  in  critical  technologies  and  in  the 
military  utilization  of  these  technologies. 
The  Workshop  will  provide  a  setting  for 
discussion  of  the  implications  of  this 
technology  on  U.S.  government  informa¬ 
tion  resources. 

To  ensure  a  balanced  program  for  an 
integrated  red  team  assessment  pro¬ 
cess,  the  Workshop  will  consider  the 
various  needs  of  all  known  customers 


supports  the  research,  development, 
test  and  evaluation  process  of  the 
Services  and  satisfies  information 
warfare  intelligence  requirements  for  the 
Services. 

For  the  Joint  Staff,  the  division 
provides  political-military  assessments; 
intelligence  for  contingencies,  opera¬ 
tions,  and  deliberate  and  crisis  planning; 
and  tailored,  coordinated  databases. 

For  the  intelligence  community,  the 
Special  Activities  Division  coordinates 
all-source  intelligence  for  the  Special 
Technical  Operations  program,  inter¬ 
faces  with  the  collection  community,  and 
supports  specialized  battle  damage 
assessments. 

The  Intelligence  Preparation  of  the 
Battlespace  (IPB)  Division  provides 
detailed,  all-source,  fused  intelligence 
assessments  of  the  operations  and 
decisionmaking  processes  of  the 

Continued  on  page  3 

Assessment  Workshop 


as  well  as  the  capabilities  of  current  and 
projected  models  and  simulations  and 
analytical  methodologies. 

For  registration  information  on  the 
Information  Assurance  Red  Team 
Assessment  Workshop,  access  the 
IATAC  home  page  at  http://www.iatac. 
dtic.mil  on  the  internet,  http://204.36.65. 
5/index.html  on  Intelink-S,  and  http:// 
www.rl.gov./rl/irido/iatac  on  Intelink  or 
call  Alethia  Tucker  at  (703)  902-4664. 
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Information  Assurance  Evolves  From  Definitional  Debate 


When  the  din  of  battle  subsides, 
observers,  pundits,  and  especially 
soldiers  focus  their  attention  on  lessons 
learned.  The  1991  conflagration  in 
Southwest  Asia  was  no  exception  in  this 
regard,  and  the  examination  of  the 
extremely  favorable  results  achieved  by 
the  United  States  and  its  United  Nations 
allies  brought  a  new  level  of 
intensity  to  the  debate  concerning 
the  nature  of  future  war. 

To  some,  a  new  age  beck¬ 
oned;  to  others,  attention  to  long 
established  tenets  of  war,  such 
as  “mass,”  “security,”  and  “sur¬ 
prise,”  proved  their  worth.  Yet 
even  the  iconoclasts  recognized 
that  “information”  had  emerged 
as  the  prime,  if  not  decisive, 
contributor  to  the  allied  success. 

The  significance  of  “information” 
was  derived  from  the  phenome¬ 
nal  advances  in  the  realm  of 
digital  technology. 

Policy  and  doctrinal  guidance 
have  attempted  to  keep  pace  with 
the  spiral  of  information  technolo¬ 
gy  advances,  but  agreement  on  even 
the  most  fundamental  definitions  has 
provided  a  challenge  within  the  Depart¬ 
ment  of  Defense  (DoD).  This  article 
traces  the  evolution  of  that  definitional 
debate  through  the  five-plus  years  since 
the  end  of  the  Gulf  War,  calls  attention 
to  the  role  of  information  in  the  deter¬ 
rence  and  prosecution  of  future  war,  and 
hopefully  promotes  a  better  understand¬ 
ing  of  the  evolving  definitions  them¬ 
selves. 

The  recognition  of  the  elevated  role 
of  information  in  deterrence  and  in  war 
was  manifested  in  a  revision  of  the 
Department  of  Defense  Directive 
3600.1 ,  which  appeared  under  the  title, 
Information  Warfare,  in  December  1992. 

Following  the  DoD  lead  on  informa¬ 
tion  war,  the  Office  of  the  Joint  Chiefs  of 
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Staff  undertook  the  writing  of  a  comple¬ 
mentary  publication  on  new  concepts  of 
war  demonstrated  in  the  Gulf.  The  result 
of  the  Joint  Staff  effort  was  the  publica¬ 
tion  of  “Chairman  of  the  Joint  Chiefs  of 
Staff  Memorandum  of  Policy  Number 
30”  (MOP  30),  in  March  1993.  It  took  the 
title,  Command  and  Control  Warfare. 


MOP  30  defined  the  relationship 
between  “command  and  control  warfare 
(C2W)”  and  “information  warfare  (IW)” 
by  stating  explicitly:  “C2W  is  the  military 
strategy  that  implements  Information 
Warfare  on  the  battlefield  and  integrates 
physical  destruction.”  Implicit  in  this 
definition  is  the  recognition  that  informa¬ 
tion  warfare  also  occurs  “off  the  battle¬ 
field”  and  that  it  can  be  void  of  “physical 
destruction.” 

In  addition  to  defining  the  relation¬ 
ship  between  C2W  and  IW,  MOP  30  also 
stated  that  C2W  encompassed  the 
“integrated  use  of  operations  security 
(OPSEC),  military  deception,  psycholog¬ 
ical  operations  (PSYOP),  electronic 
warfare  (EW)  and  physical  destruction, 
mutually  supported  by  intelligence.” 
Widely  known  as  the  five  pillars  of  C2W, 


these  elements  did  not,  however, 
address  the  role  of  computers  and 
networks  in  future  warfare. 

To  better  address  the  role  of  informa¬ 
tion  and  information  systems  in  future 
war,  the  US  Air  Force  transitioned  its 
Electronic  Warfare  Center  at  Kelly  AFB, 
San  Antonio,  TX,  to  an  organization  with 


a  much  broader  perspective.  The  new 
center  is  called  the  Air  Force  Information 
Warfare  Center,  and  focuses  on  both  the 
role  of  information  in  future  war  and  the 
need  for  information  assurance.  One 
year  later,  under  the  auspices  of  the 
Chairman  of  the  Joint  Chiefs  of  Staff,  the 
Joint  Electronic  Warfare  Center,  also  at 
Kelly  AFB,  became  the  Joint  Command 
and  Control  Warfare  Center.  Its  focus  is 
on  information  support  to  the  Command- 
ers-in-Chief  of  the  Unified  Commands. 
Further  attention  to  the  primacy  of 
information  in  future  war  was  evidenced 
at  the  National  Defense  University 
where  the  School  of  Information  Warfare 
and  Strategy  opened  its  doors  to  the 
first  of  two  10-month  pilot  programs  in 
information  warfare  in  August  1994. 

Following  the  lead  of  the  Air  Force 
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and  the  Joint  Staff,  the  Navy  and  the 
Army  were  quick  to  establish  organiza¬ 
tions  to  support  the  new  concepts  of 
deterrence  and  warfighting.  The  Navy 
established  the  Naval  Information 
Warfare  Activity  at  Fort  Meade,  MD,  and 
the  Fleet  Information  Warfare  Center  at 
Norfolk,  VA,  with  detachments  at  San 
Diego,  CA,  Honolulu,  HI,  and  Chesa¬ 
peake,  VA.  The  Land  Information 
Warfare  Activity  was  established  by  the 
Army  at  Fort  Belvoir,  VA.  Information 
assurance  is  a  critical  element  in  each 
of  these  organizations. 

As  each  organization  pursued 
concepts  and  definitions  suited  to  its 
mission,  each  was  also  involved  in  the 
definitional  debate  within  the  Depart¬ 
ment  of  Defense.  By  1994,  it  was  widely 
recognized  that  the  concepts  of  informa¬ 
tion  warfare  were  not  well  served  by  the 
definition  of  information  warfare  that 


Continued  from  page  1 

national  leadership  in  potential  adver¬ 
sary  countries  to  support  information 
operations  planning  and  operations. 

The  division  also  develops  method¬ 
ologies  for  assessing  the  influence  of 
cultural,  psychological,  and  other 
human  factors  on  leadership  opera¬ 
tions  and  decisionmaking.  To  support 
10  targeting,  the  division  produces 
detailed  communications  and  informa¬ 
tion  system  templates  of  potential 
adversary  countries.  Finally,  the 
division  provides  consultative  support 
to  10  operational  planners  and  creates 
new  products  and  display  formats  for 
providing  the  most  useful  access  to 
required  intelligence. 

The  Threat  Analysis  Division 
detects,  identifies  and  assesses  IO 
capabilities  of  nations,  groups,  coali¬ 
tions,  and  individuals  that  threaten  the 
U.S.  defense  and  national  information 
infrastructures.  Through  all-source 
intelligence  products,  the  division 
assists  in  force  protection  and  defen¬ 
sive  10  operations.  The  division  also 


appeared  in  the  December  1992  DoD 
directive.  Not  surprisingly,  each  of  the 
principal  organizations  involved  in  the 
concepts  of  information  warfare  tailored 
definitions  consistent  with  and  appropri¬ 
ate  to  its  own  culture,  missions,  and 
doctrine. 

Insights  into  the  concepts  of  each  of 
the  major  organizations  involved  in 
information  warfare  are  clearly  seen  in 
the  publications  of  those  organizations. 
The  first  major  organization  to  promote 
widely  the  concept  of  information 
warfare  was  the  US  Air  Force.  In  the  fall 
of  1995,  General  Fogleman,  the  Air 
Force  Chief  of  Staff,  and  Secretary 
Widnall,  Secretary  of  the  Air  Force, 
signed  the  Foreword  to  a  pamphlet 
entitled,  Cornerstones  of  Information 
Warfare.  The  pamphlet  defined  informa¬ 
tion  warfare  as:  “any  action  to  deny, 
exploit,  corrupt,  or  destroy  the  enemy’s 


supports  the  design  and  implementation 
of  a  defense  intelligence  warning 
system  for  10  attacks,  and  supports 
Department  of  Defense  Information 
Assurance  activities. 

The  Threat  Analysis  Division  also 
supports  the  Defense  Information 
Infrastructure,  or  Dll,  by  producing: 

•  10  national  intelligence  estimates, 

•  System  threat  assessment  reports, 

•  Country-specific  10  threat  assess¬ 
ments, 

•  Information  on  foreign  10  technolo¬ 
gies  and  tools, 

•  An  Electronic  Warfare  Integrated 
Reprogramming  Data  Base,  and 

•  Information  on  threats  to  compo¬ 
nents  of  the  Dll. 

The  Foreign  Denial  and  Deception 
Division  of  the  Information  Warfare 
Support  Office  detects  and  analyzes 
foreign  denial  and  deception  directed 
against  U.S.  intelligence,  national 
security  policy  and  military  strategy,  and 
strategic  and  conventional  targeting, 
weapons  acquisition,  military  operations, 
10,  and  strategic  arms  control  monitor¬ 


information  and  its  function;  protecting 
ourselves  against  those  actions;  and 
exploiting  our  own  military  information 
functions.”  The  pamphlet  also  detailed 
six  elements  of  information  war.  Four 
were  fully  consistent  with  the  elements 
of  command  and  control  warfare  pre¬ 
sented  in  MOP  30.  These  were:  psycho¬ 
logical  operations,  military  deception, 
physical  destruction,  and  electronic 
warfare.  Where  MOP  30  had  focused  on 
OPSEC  as  an  element,  Cornerstones 
focused  on  “security  measures,”  which 
was  defined  as  OPSEC,  COMSEC 
(communications  security),  and 
COMPUSEC  (computer  security).  The 
sixth  element  of  information  warfare 
from  the  Air  Force  perspective  was 
“information  attack,”  which  was  defined 
as  “directly  corrupting  information 
without  visibly  changing  the  physical 
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ing.  The  division  detects,  identifies, 
characterizes  and  monitors  foreign 
underground  and  enigma  facilities  and 
produces  all-source  intelligence  prod¬ 
ucts  to  support  U.S.  policy,  plans, 
operations,  and  acquisitions.  Other 
areas  of  interest  to  the  Foreign  Denial 
and  Deception  Division  include: 

•  Foreign  denial  and  deception 
programs, 

•  Deception  technologies  and 
equipment, 

•  Foreign  perception  management, 

•  Military  industrial  concealment,  and 

•  Underground  facilities  and 
enigmas. 

In  conclusion,  DIA  products  address 
the  full  spectrum  of  information  opera¬ 
tions  activities.  DIA  provides  integra¬ 
tion  of  intelligence  and  operations  for 
the  warfighter,  Defense  HUMINT 
Service  information  warfare  support, 
information  systems  support,  and  a 
robust  open  source  intelligence  pro¬ 
gram.  Since  the  range  of  potential 
contingencies  in  which  the  United 
States  is  likely  to  become  involved 
covers  the  spectrum  of  conflict,  10 
support  will  remain  a  priority  DIA 
mission  area  well  into  the  future.  w 
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entity  in  which  it  resides.”  Thus,  the  Air 
Force  elevated  the  elements  of  com¬ 
mand  and  control  warfare  to  elements  of 
information  warfare.  The  Air  Force  also 
added  “information  attack”  to  the  taxon¬ 
omy  of  IW.  These  Air  Force  contributions 
were  indicative  of  the  Air  Force’s  focus 
on  technology  and  its  impact  on  tradi¬ 
tional  Air  Force  missions. 

Following  the  publication  of  the  Air 
Force’s  Cornerstones,  the  Chairman  of 
the  Joint  Chiefs  of  Staff  (CJCS)  pub¬ 
lished  CJCS  Instruction  3210.01,  Joint 
Information  Warfare  Policy.  Its  IW 
definition  was  identical  with  the  then- 
current  definition  in  the  working  draft  of 
DoD  Directive  3600.1:  “Actions  taken  to 
achieve  information  superiority  by 
affecting  adversary  information,  informa¬ 
tion-based  processes,  and  information 
systems  while  defending  one’s  own 
information,  information-based  process¬ 
es,  and  information  systems.”  The 
instruction  also  discussed  the  elements 
of  information  warfare  and  spoke  of 
them  in  terms  consistent  with  MOP  30 
and  Cornerstones. 

The  third  major  doctrinal  publication 
to  appear,  while  the  revision  of  DoD 
Directive  3600.1  was  in  progress,  was 
the  Army’s  Field  Manual  100-6,  Informa¬ 
tion  Operations.  The  Army  recognized 
“that  IW  as  defined  by  DoD  was  more 
narrowly  focused  on  the  impact  of 
information  during  actual  conflict,  [and 
chose]  to  take  a  somewhat  broader 
approach  to  the  impact  of  information  on 
ground  operations  and  adopted  the  term 
information  operations.”  The  Army  took 
this  view  to  recognize  “that  information 
issues  permeate  the  full  range  of  military 
operations  (beyond  just  the  traditional 
context  of  warfare)  from  peace  through 
global  war.” 

The  definition  of  information  opera¬ 
tions  offered  by  the  Army  differed 
significantly  from  other  official  defini¬ 
tions.  Army  10  was  defined  as,  “Continu¬ 


ous  military  operations  within  the  MIE 
[military  information  environment]  that 
enable,  enhance,  and  protect  the 
friendly  force’s  ability  to  collect,  process, 
and  act  on  information  to  achieve  an 
advantage  across  the  full  range  of 
military  operations;  10  include  interact¬ 
ing  with  the  GIE  [global  information 
environment]  and  exploiting  or  denying 
an  adversary’s  information  and  decision 
capabilities.”  The  Army  accepted  the  five 
C2W  elements  as  a  part  of  10  and 
added  that  civil  and  public  affairs  were 
also  fully  integral  to  Army  10.  Again,  the 
Service’s  culture  established  the  per¬ 
spective  given  to  the  key  definitions  and 
taxonomy  of  information  terms. 

While  the  publication  of  key  informa¬ 
tion  terms  occurred  at  the  Joint  Staff 
level  and  in  the  Services,  the  staffing  of 
the  overarching  term  from  a  DoD 
perspective  continued  for  more  than  two 
years.  The  Joint  Staff,  Air  Force,  and 
Army  each  proposed  its  own  culturally 
driven  terms  and  definitions.  When  the 
new  DoD  Directive  3600.1  was  signed 
on  9  December  1996,  it  took  the  title, 
Information  Operations ,  which  hence 
became  the  DoD  overarching  term 
pertinent  to  the  role  of  information  in 
warfare.  The  directive  defined  Informa¬ 
tion  Operations  simply  as  “Actions  taken 
to  affect  adversary  information  and 
information  systems  while  defending 
one’s  own  information  and  information 
systems.”  In  its  discussion  of  the  com¬ 
ponents  of  10,  the  directive  included  the 
elements  of  C2W  from  MOP  30,  the  idea 
of  computer  network  attack  suggested  in 
the  Air  Force’s  Cornerstones ,  and  the 
contributions  of  public  affairs  and  civil 
affairs  as  set  forth  by  the  Army  in  FM 
100-6.  Thus  the  new  DoD  Directive  had 
evolved  to  incorporate  the  seminal  ideas 
of  the  Services  and  other  key  players  in 
the  information  arena.  It  also  defined 
Information  Assurance  (IA)  as:  “10  that 
protect  and  defend  information  and 
information  systems.  .  . .”  and  stated 


that  IA  activities  should  be  vigorously 
pursued. 

While  the  key  influencing  factors  in 
the  evolution  of  the  present  DoD  defini¬ 
tion  of  information  operations  cited 
above  focused  on  the  Air  Force,  Joint 
Staff,  and  Army,  the  role  of  the  Navy, 
Marine  Corps,  and  especially  the 
intelligence  community  should  not  be 
overlooked.  The  Navy  has  incorporated 
the  concepts  of  information  operations 
into  their  day-to-day  fleet  activities.  The 
Marines  have  written  about  command 
and  control  which  subsumes  information 
concepts,  and  similarly  the  intelligence 
community  has  contributed  immensely 
to  the  process  of  definition. 

From  the  1992  DoD  Directive  on 
information  warfare  through  each  of  the 
publications  discussed  in  this  article,  the 
idea  of  protecting  information  has  been 
an  integral  part  of  every  examination  of 
information  concepts.  The  primacy  of 
protecting  and  defending  information 
has  been  evident,  and  today,  it  is  well 
incorporated  into  the  DoD  Directive  on 
Information  Operations  and  in  Service 
publications. 

As  information  operations  evolved  to 
accept  elements  of  the  earlier  definitions 
of  information  warfare,  so  information 
assurance  evolved  as  the  term  of  choice 
for  defensive  IW  or  command  and 
control  protection.  The  concepts  of 
“protect  and  defend”  are  very  much  in 
evidence  in  the  DoD  Directive  3600,1 
definition  of  information  assurance: 
“Information  Operations  that  protect  and 
defend  information  and  information 
systems  by  ensuring  their  availability, 
integrity,  authentication,  confidentiality, 
and  non-repudiation.  This  includes 
providing  for 
restoration  of 
information 
systems  by 
incorporating 
protection, 
detection, 
and  reaction 
capabilities.” 
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HBW9xxx:  Intermediate 
Information  Operations/Warfare 
(IBW) 

5  days,  Secret  Clearance 

required,  0-4  through  0-6  and 
equivalents. 

School  of  Information  Warfare  and 
Strategy 

National  Defense  University, 

Fort  McNair,  DC 
IBW9801  17-21  Nov  97 
IBW9802  12-16  Jan  98 
IBW9803  9-13  Mar  98 
IBW9804  13-17  Jul  98 
IBW9901  19-23  Oct  98 
POC:  Dr.  Fred  Giessler, 
202-685-2209 


SIW9xx:  Senior  Information 
Warfare  (SIW) 

2  days,  TS/SCI  required,  0-7, 
equivalents  and  above. 

0-6s  accepted  on  waiver 
School  of  Information  Warfare  and 
Strategy 

National  Defense  University. 

Fort  McNair,  DC 
SIW9801  5-6  Nov  97 
SIW9802  12-13  Feb  98 
POC:  Dr.  Fred  Giessler, 
202-685-2209 


Information  Assurance  Red  Team 
Assessment  Workshop  by  DISA 
and  the  Joint  Staff  (J6K) 

13-14  August  97 

SECRET/US  GOVERNMENT  ONLY 
Fort  Magruder  Inn,  Williamsburg, 

VA 

POC:  703-902-4664 
(See  article  on  page  1.) 

infoWARcon  ‘97,  “ Safeguarding 
Your  Information  from  Your 
Competitors ”  by  the  National 
Computer  Security  Association  and 
Winn  Schwartau,  lnfowar.com 
11-12  September  97 
Sheraton  Premier,  Tysons  Corner, 
VA 

POC:  1-800-488-4595,  ext  3226 


“National  Information  Systems 
Security  Conference”  by  the 
National  Computer  Security  Center 
at  the  National  Security  Agency 
and  the  National  Institute  of 
Standards  and  Technology 
7-10  October  97  with 

Pre-Conference  Workshops 
on  6  October 

Baltimore  Convention  Center, 
Baltimore,  MD 
POC:  301-975-2775 


This  second  issue  of  the 
Information  Assurance  Technology 
Newsletter  focuses  on  the  evolution 
of  concepts  and  definitions  pertinent 
to  information  assurance.  The 
newsletter  also  features  an  overview 
of  the  central  role  that  the  Defense 
Intelligence  Agency  and  the  Defense 
Information  Systems  Agency  play  in 
important  information  operations 
issues. 

IATAC,  a  DoD-Sponsored 
Information  Analysis  Center  (IAC),  is 
administratively  managed  by  the 
Defense  Technical  Information  Center 
(DTIC)  under  the  DoD  IAC  Program. 
Inquiries  about  IATAC  capabilities, 
products,  and  services,  or  comments 
regarding  this  publication  may  be 
addressed  to: 

Dr.  John  I.  Alger 
Director,  IATAC 
2560  Huntington  Avenue 
Alexandria,  VA  22303-1403 


Introduction  to  Information  Operations 

5  days,  TS/SCI  Clearance  required,  0-3  through  0-6  and  equivalents. 

Joint  Military  Intelligence  Training  Center,  Bolling  AFB,  DC 

20-24  Oct  1997 

2-6  Feb  1998 

4-8  May  1998 

POC:  Mr.  Doug  Dearth,  703-780-2584  -  e-mail:  dhdearth@aol.com 


CotJfictvt+C  U'l 


Telephone: 


(703)  329-7337 


Facsimile:  (703)  329-7 1 97 

STU-III:  (703)329-3940 

STU-III  Facsimile:  (703)  329-7106 

e-mail:  iatac@dtic.mil 


www:  http://www.iatac.dtic.mil 


Intelink-S:  http://204.36.65.5/index.html 
Intelink:  http://www.rl.gov./rl/irido/iatac 
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U.S.  Distribution  Only. 

□  CHANGE  ME  (as  noted  below)  □  ADD  ME 

□  SEND  I  AT  AC  TECHNICAL  AREA  TASK  INFO  (Government  only) 


Name 


Company/Organization 
Address _ 


City/State/Zip_ 


Phone 


E-mail 


ORGANIZATION:  □  USA  O  USN  □  USAF  □  USMC  □  OSD  □  Contractor 


Sowi  f'hftJl  U  \Aklc04V4,.. 

The  Information  Assurance 
Technology  Newsletter  welcomes 
input  from  our  readers.  To  submit 
photographs,  related  articles, 
notices,  feature  programs  or  ideas 
for  future  issues,  please  use  the 
address,  fax  or  e-mail  as  noted. 


CLIP  &  SEND  TO: 
Information  Assurance 
Technology  Analysis  Center 
2560  Huntington  Avenue, 
Alexandria,  VA  22303-1410 

FAX  (703)  329-7197 

E-mail:  iatac@dtic.mil 


Information  Assurance 
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INFORMATION  ASSURANCE  TECHNO 


Defending  Against  G2Wand  IWAttack 


Editor’s  Note:  This  article  is  part 
of  a  continuing  series  that  highlights 
current  Information  Assurance  (IA) 
initiatives  within  the  Department  of 
Defense,  The  Joint  Command  and 
Control  Warfare  Center  (JC2WC)  is 
located  at  Kelly  Air  Force  Base 
(AFB)  in  San  Antonio,  Texas. 

by  Coionef  Charfes  C.  South,  USAF 
Deputy  Director  for  Protect/ 

De  fense,  Joint  Commend  end 
Controt  Warfare  Center 

The  mission  of  the  Joint 
Command  and  Control  Warfare 
Center  (JC2WC)  is  to  “provide 
direct  Command  and  Control 


Warfare  support  to  operational 
commanders”1  and  serve  as  the 
principal  field  agency  within  the 
Department  of  Defense  (DoD) 
for  non-Service-specific  C2W 
support.  The  JC2WC  executes 
its  mission  through  its  direc¬ 
torates  of  Operations  (OP),  Pro¬ 
tect  /  Defense  (PD),  Operations 
Support  and  Technical  integra¬ 
tion  (OT),  Systems  Integration 
(SI),  the  Office  of  Plans  and 
Programs  (XR),  and  the  Special 
Technical  Operations  (STO)  Di¬ 
vision.  The  focus  of  the  Pro¬ 
tect/Defense  Directorate  is  to 


assist  the  combatant  comman¬ 
ders  in  the  development  of 
strategies  to  defend  against 
C2W  and  Information  Warfare 
(IW)  attacks. 

The  Directorate’s  original 
concept  was  that  of  “Red  Team¬ 
ing”  or  exploiting  information  op¬ 
erations  and  related  information 
technologies  to  raise  the  aware¬ 
ness  of  CINCs  and  OSD  pro¬ 
gram  managers  to  information 
related  vulnerabilities.  Howev¬ 
er,  as  concepts  and  doctrine  for 
IW  and  Information  Operations 
(10)  developed,  we  realized  that 
Continued  on  page  2. 
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The  U.S.  Army  War  Col¬ 
lege,  Center  for  Strategic 
Leadership,  hosted  an  Infor¬ 
mation  Assurance  Seminar 
Game  that  examined  the 
emerging  roles  of  the  public 
and  private  sectors  in  protect¬ 
ing  our  critical  information  in¬ 
frastructures  from  Information  Warfare  attacks. 
The  Seminar  Game  was  held  3-5  February  1998 
at  the  Center  for  Strategic  Leadership  (CSL) 
Carlisle  Barracks,  Pennsylvania  and  was  jointly 
sponsored  by  the  CSL,  Booz-Allen  &  Hamilton, 
and  the  National  Computer  Security  Association. 
Seminar  Game  participants  were  composed  of 
industry  and  government  experts  whose  views 
influence  national  information  assurance  policy 
and  direction.  The  Seminar  Game  provided  par¬ 
ticipants  with  a  unique  opportunity  to  interact  on 
matters  of  increasing  concern  to  all,  and  resulted 
in  a  more  balanced  view  of  information  warfare 
and  its  threat  to  our  nation’s  critical  infrastruc¬ 
ture,  private  and  public. 

Presentations  by  recognized  national  security 
experts  were  provided  to  help  participants  define 
the  threat,  assess  vulnerabilities  and  consider 
ways  to  estimate  damages  in  the  wake  of  an  in¬ 


formation  infrastructure  attack.  Participants  in¬ 
vestigated  ways  to  detect  and  disclose  infrastruc¬ 
ture  attacks  while  addressing  an  appropriate 
process  for  response  and  recovery.  The  seminar 
also  considered  the  national  response  to  a 
strategic  information  attack. 


Results  of  the 
game  will  be  dis¬ 
tributed  to  partici¬ 
pants,  key 
government  of¬ 
fices,  and  select¬ 
ed  agencies  for 
publication.  Fur¬ 
ther  details  can 
be  obtained  by 
contacting  one  of 
the  following: 


U.S.  Army  War  College 

Mr.  Robert  F.  Minehart,  Jr.  (717)  245-4472 

International  Computer  Security  Association 
Mr.  Fred  Tompkins  (717)  241-3241 

Booz-Allen  &  Hamilton,  Inc. 

Mr.  Albert  J.  Ross  (410)  684-6635 


‘he  Information  Assur¬ 
ance  Technology  Newsiet- 
er  is  published  quarterly 
)y  the  Information  Assur- 
ince  Technology  Analysis 
Center  (IATAC).  The  third 
5sue  continues  the  focus 
>n  current  information  a$- 
;urance  initiatives  under- 
vay  within  the  Department 
)f  Defense.  In  addition,  an 
jverview  of  the  !A  Tools 
)atabase  is  provided  that 
itghiights  the  current  col¬ 
ection  of  Intrusion  Detec- 
ion  Tools. 

ATAC,  a  DoD-Sponsored 
nformation  Analysis  Cen- 
er  (IAC),  is  administrative- 
y  managed  by  the 
)efense  Technical  Infor- 
nation  Center  (DTIC) 
inder  the  DoD  IAC  Pro- 
iram.  Inquiries  about 
ATAC  capabilities,  pred¬ 
icts  and  services  may  be 
iddressed  to: 

Robert  Thompson 
Assoc.  Director,  IATAC 

Ve  welcome  your  input, 
o  submit  your  related  ar- 
icles,  photos,  notices, 
eature  programs  or  ideas 
or  future  issues,  please 
:ontact: 

IATAC 

ATTN:  C.  Wright 
8283  Greensboro  Dr. 
Allen  663-D 
McLean,  VA  22102 
Phone  703-902-3177 
Fax  703-902-3425 
STU-ill  703-902-5869 
STU-lll  Fax  902-3991 
E-mail:  iatac@dtic.mil 
nternet:  www.iatac.dtic.mil 
ntelink-S: 

ittp://204.36.65.5/index.html 

ntelink: 

ittp://www.web1  .rome. 
c.gov/iatac 


QEFEIVniMG  Continued  from  page  1. 


10  vulnerabilities 
should  be  addressed  in  the 
larger  context  of  IW  and  10. 
That  is,  since  command  and 
control  (C2)  is  a  subset  of  IW, 
we  need  to  protect  information 
with  C2  application  and  value, 
regardless  of  whether  or  not  it 
resides  in  a  C2  system.  In  ad¬ 
dition,  we  need  to  address 
those  10  objectives  and  tasks 
associated  with  peacetime 
defense. 

Accordingly,  the  Protect/ 
Defense  Directorate’s  mission 
is  evolving  from  (C2)  Protect 
and  (IW)  Defense  to  Defen¬ 
sive  10.  In  this  context,  we 
are  orienting  our  mission  to 
the  new  definitions  prescribed 
by  DODD  S-3600.  (Informa  - 
tion  Operations),  CJCSI 
3210.1  (Joint  Information  War  - 
fare  Policy),  CJCSI  651001A 
(Defensive  IW  Implementa  - 
tion),  and  Draft  Joint  Pub  3-13 
(Joint  Doctrine  for  Information 


Operations).  DODD  S-3600 
provides  that  “DoD  information 
systems  critical  to  the  trans¬ 
mission  and  use  of  minimum- 
essential  information  for 
command  and  control  of 
forces  shall  be  designed,  em¬ 
ployed,  and  exercised  in  a 
manner  that  minimizes  or  pre¬ 
vents  exploitation,  degrada¬ 
tion,  or  denial  of  service  from 
a  multiple  variety  of  attacks  to 
include  computer  network  at¬ 
tack.”  Draft  Joint  Pub  3-13 
refers  to  the  following  related 
defensive  10  areas:  informa¬ 
tion  assurance,  physical  secu¬ 
rity,  OPSEC,  counter¬ 
deception,  counter-PSYOP, 
counter  intelligence  (Cl),  elec¬ 
tronic  protect,  and  special  in¬ 
formation  operations.  The 
Defense  10  mission  also  in¬ 
volves  responses  to  IW  at¬ 
tacks  that  may  be  either 
defensive  or  offensive  in  na¬ 


ture  and  may  involve  interface 
with  law  enforcement  agen¬ 
cies. 

As  you  can  see,  Defensive 
10  is  a  relatively  broad  mis¬ 
sion.  It  is  also  a  dynamic  one 
—  as  IW  and  10  concepts  and 
doctrine  evolve,  so  does  our 
mission,  and  we  continue  to 
examine  processes  that  best 
support  the  combatant  com¬ 
manders  in  the  areas  listed 
above.  Since  this  is  a  new 
mission  area  for  the  JC2WC, 
we  continue  to  seek  out  the 
best  training  available  in  these 
areas  to  enable  us  to  provide 
the  requisite  expertise  as  a 
“center  of  excellence.”  To  ac¬ 
complish  this  mission,  the  Di¬ 
rectorate  has  established 
three  functional  area  teams 
(see  Figure  1  below)  to  re¬ 
spond  to  our  evolving  defen¬ 
sive  10  mission.  These 


Continued  on  page  7. 
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BLUE  10  System  Vulnerability 
Assessment 

IW  OPFOR  (Red  Team)  Scenario 
Development  &  Execution 
Post-EX  Recommendations 
to  CINC 


Vulnerability  Assessment  of 
10  Technologies  in  ACTDs 

Recommendations  to 
Program  Management 


W  Raise  Awareness  of  Significant  10  Vulnerabilities 
W  Develop  Joint  Defensive  10  Strategies 

Ensure  the  Best  Possible  10  Technologies  for  the  Warfighter 


Figure  1 .  Protect/Defense  Functional  Areas 


bourse  Objective: 

The  purpose  of  this  full-day 
utorial  is  provide  attendees  an 
accurate  depiction  of  the  role 
benetration  testing  plays  in 
analyzing  a  system's  overall 
security  posture.  The  tutorial 
s  designed  to  provide  a  thor- 
augh  understanding  of  penetra- 
ion  testing  concepts, 
erminology,  approaches  and 
echniques  that  can  be  applied 
o  all  system  and  network 
configurations. 

This  course  is  NOT  in-  \ 
ended  to  teach  specific  1 

system  vulnerabilities  or  \ 

low  to  exploit  them,  but  will  i 

arovide  information  on  pub-  j 

icly  available  sources  and 
ools  that  are  commonly 
jsed  by  hackers.  During 
his  course  attendees  will 
earn  how  penetration  testing 
its  into  life-cycle  system/net- 
vork  security  and  how  it  can 
complement  other  commonly 
cerformed  security  activities 
such  as  risk  analysis  and  se¬ 
curity  test  and  evaluation.  At- 
endees  will  also  learn  the 
imitations  to  penetration  testir 
and  that  it  is  not  a  comprehen 
sive  analysis  of  a  system’s  se¬ 
curity. 

At  the  completion  of  this  tu- 
orial,  attendees  should  have  j 
letter  understanding  of  what 
cenetration  testing  is  and  is 
lot,  how  it  can  be  beneficial  tc 
organizations,  and  restrictions 
mposed  when  performed  by 
crofessional  consultants  withir 
egal  boundaries.  Attendees 


Campus  —  8283  Greensboro 
Drive.  A  registration  fee  of 
$225.00  is  required  and  due  by 
May  18,  1998.  A  $50.00  late  fee 
will  be  applied  for  all  registrations 
received  after  May  18,  1998  and 
for  payment  at  the  door. 

For  more  information 
concerning  the  tutorial,  please 
contact  Christina  Wright  at 
703-902-3176/3177  or  via 
e-mail  at  iatac@dtic.mil. 


IcoutseOi^’^^:^ — ITtJ 
uilntro^  — ^ 

i  ‘  Penetration  Testing 


PenetratiOii  Testing 

i  Scenarios  —  .. 
--k;  Peftorniina:Pen^'(-v:: 
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JURE  4 

IVtLEAlM,  VA 

Full  Dry 
Course 

Registration 

Deadline 


IVhY  i 
Cbsr 
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Only 


vill  have  obtained  the  basic 
oundation  necessary  for  build - 
ng  a  penetration  testing  capa¬ 
bility  and  performing 
cenetration  tests. 

The  tutorial  will  be  held  as 
3overnment-Only  (see  registra- 
ion  form  on  page  8)  at  the 
3ooz-AI1en  &  Hamilton  McLean 


ABOUT  THE  INSTRUCTOR 

Debra  Banning  is  a  Senior  Associate  at  Booz-Allen  & 
Hamilton  specializing  in  security/risk  assessments  and  pene¬ 
tration  testing.  Ms.  Banning  has  been  planning,  performing 
and  leading  penetration  exercises  for  government  and  com¬ 
mercial  clients  for  13  years.  She  recently  presented  the  Pen 
etration  Tutorial  on  which  this  workshop  is  based  at  the  13th 
Annual  Computer  Security  Applications  Conference  spon¬ 
sored  by  the  IEEE  Computer  Society. 


Inforivatign  Assurance  Tools  Database:  Intrusion 


The  IATAC 
Information 
Assurance 
Tools  Data¬ 
base  hosts 
information 
on  intrusion 
detection, 
vulnerability 
analysis, 
firewalls, 
and  anti¬ 
virus  appli¬ 
cations.  A 
brief  sum¬ 
mary  of  In¬ 
trusion 
Detection 
Tools  is  pro¬ 
vided  on 
these  two 
pages.  For 
more  infor¬ 
mation,  see 
IATAC 
Products 
on  page  6. 


Title 

Attributes 

ADS 

attack  detection 

AID 

audit-based,  misuse  detection 

ALVA 

anomaly  detection,  audit-based 

Argus 

audit-based,  system  monitoring 

ARPMon 

system  monitoring 

ARPWATCH 

system  monitoring 

ASAX 

audit-based,  misuse  detection 

ASIM 

anomaly  detection 

CMDS 

anomaly  detection,  audit-based, 
expert  system,  misuse  detection 

Courtney 

system  monitoring 

CyberCop 

anomaly  detection,  misuse 
detection,  system  monitoring 

EMERALD 

anomaly  detection,  system  monitoring 

Gabriel 

system  monitoring 

GrIDS 

anomaly  detection 

IDES 

anomaly  detection,  expert  system, 
misuse  detection,  system  monitoring 

IDIOT 

misuse  detection 

Ifstatus 

anomaly  detection 

Internet 

Scanner  Toolset 

anomaly  detection 

INTOUCH  INSA 

anomaly  detection,  keystroke 
surveillance,  misuse  detection 

ITA 

anomaly  detection,  audit-based, 
misuse  detection 

Kane 

Security  Monitor 

misuse  detection,  system  monitoring 

md5check 

file  integrity 

NADIR 

anomaly  detection 

Description 

Attack  detection  system  for  secure  computer  systems 
Distributed  intrusion  detection  system  that  consists  of  agents 
on  the  monitored  hosts  and  a  centra!  monitoring  station  with  an 
expert  system 

Real-time  tool  for  detecting  potential  security  violations  in  UNIX 
audit  logs.  The  system  gains  some  level  of  platform 
independence  by  analyzing  command  logs  that  are 
pre-computed  from  the  system  audit  logs. 

Generic  IP  network  transaction  auditing  tool  for  UNIX 
Maps  IP  addresses  to  physical  network  or  hardware  addresses 
to  monitor  the  usage  of  IP  addresses  on  a  network 
Aims  to  protect  against  address  spoofing  by  monitoring 
Ethernet  activity  and  maintaining  a  database  of  Ethernet/IP 
address  pairings 

Distributed  audit  trail  analysis  system  that  also  has 

incorporated  configuration  analysis 

Air  Force  project  designed  to  measure  the  level  of 

unauthorized  activity  against  its  systems 

Real-time  audit  reduction  and  analysis  to  detect  and  deter 

computer  misuse 

Monitors  the  network  and  identifies  the  source  machines  of 
SATAN  probes/attacks 

Real-time  security  solution  that  issues  alarms  when  attacks  are 
identified,  recognizes  networked  elements  under  attack,  logs 
the  activity,  and  captures  evidence  of  the  intrusion 
Distributed  scalable  tool  suite  for  tracking  malicious  activity 
through  and  across  large  networks  and  introduces  a  highly 
distributed,  building-block  approach  to  network  surveillance, 
attack  isolation,  and  automated  response 
SATAN  detector  available  for  Sun  platforms,  written  entirely  in 
C  and  comes  pre-built 

Uses  graph-based  language  for  analyzing  network  connection 
activity  in  a  LAN-MAN  sized  system  to  detect  large-scale 
automated  attacks  on  networked  systems 
Real-time  intrusion-detection  expert  system  that  observes  user 
behavior  on  a  monitored  computer  system  and  adaptively 
learns  what  is  normal  for  individual  users,  groups,  remote 
hosts,  and  the  overall  system  behavior 
Based  on  complexity  of  matching  and  temporal  characteristics 
Checks  network  interfaces  for  promiscuous  or  debug  mode  in 
an  attempt  to  determine  if  a  sniffer  is  being  run 
Perform  scheduled  and  selective  probes  of  a  network’s 
communication  services,  operating  systems,  key  applications, 
and  routers  in  search  of  those  vulnerabilities  most  often  used 
by  individuals  to  probe,  investigate,  and  attack 
Scans  ail  network-based  user  activity,  regardless  of  the 
computer  manufacturer  or  operating  system  being  used, 
utilizing  keystroke-level  surveillance 
Detect  intruders  or  abuse  by  analyzing  audit  data  from  the 
operating  systems  it  supports  utilizing  a  rules  engine 
Provides  network  security  monitoring  using  artificial 
intelligence,  and  identifies  interna!  and  external  violations 
Compares  the  MD5  checksums  of  several  critical  SunOS  4.x 
system  files  to  a  database 

Rules-based  expert  system  to  automatically  detect  intrusion 
attempts  and  other  network  security  anomalies 


ritle 

vJETMAN 

vJetRanger 

sliD 

NllDES 

'JOCOL 

>losheil 

vJSM 

DOLYCENTER 

^ealSecure 

>ecureNet  Pro 

Stake  Out 

Stalker 

Swatch 

Tripwire 

T-sight 

JNICORN 

JSTAT 

A/atchDog 

VebStalker  Pro 


( Connection 
Monitor 


Attributes 

system  monitoring 

anomaly  detection,  misuse 
detection,  system  monitoring 

anomaly  detection,  misuse  detection 

anomaly  detection,  expert  system, 
misuse  detection,  system  monitoring 


system  monitoring 


system  monitoring 
system  monitoring 

misuse  detection,  system  monitoring 
system  monitoring 


keyword-level  surveillance, 
system  monitoring 

anomaly  detection,  misuse 
detection,  system  monitoring 
misuse  detection 

misuse  detection,  system  monitoring 


file  integrity 
system  monitoring 


audit-based 


Description 

Package  of  network  monitoring  and  visualization  tools  for 
monitoring  and  displaying  network  communications 
Analyzes  the  data  traffic  for  content  and  context  while 
searching  for  signatures  indicative  of  hacking  attacks  or  other 
security  violations 

Detects,  analyzes,  and  gathers  evidence  of  intrusive  behavior 
on  Ethernet  and  FDD!  networks  using  the  Internet  protocol 
Real-time  monitoring  of  user  activity  on  multiple  target  systems 
connected  via  Ethernet  rule-base  employs  expert  rules  to 
characterize  known  intrusive  activity  represented  in  activity 
logs,  and  raises  alarms. 

Monitors  network  and  system  variables,  such  as  ICMP  or  RPC 
reachability,  RMON  variables,  nameservers,  Ethernet  load,  port 
reachability,  host  performance,  SNMPtraps,  modem  line 
usage,  Appletalk  and  Novell  routes/services,  BGP  peers 
Provides  the  system  administrator  with  additional  information 
about  who  is  logging  into  disabled  accounts 
Network-based  network  traffic  monitor 
Knowledge-based  analysis  of  audit  data  to  recognize  and 
respond  to  simple  security-relevant  events 
Real-time,  automated  attack  recognition  and  response  system 
that  rests  on  the  network,  monitoring  the  network  traffic  stream 
looking  for  attacks  and  unauthorized  access  attempts 
Combines  several  key  technologies,  including  session 
monitoring,  firewailing,  hijacking,  and  keyword-based 
intrusion  detection 

Monitors  network  traffic  and  detects  intrusive  or  suspicious 
activity  as  it  occurs 

Identifies  intruders  and  internal  misuse  by  analyzing  audit  trail 
data  and  reporting  on  suspicious  user  and  system  activities 
Monitors  events  on  a  large  number  of  systems  and  modifies 
certain  programs  to  enhance  their  logging  capabilities  and 
software  to  then  monitor  the  system  logs 
Compares  a  designated  set  of  files  and  directories  to 
information  stored  in  a  previously  generated  database 
Visualizes  traffic  and  data  transiting  a  network,  evaluates  risks 
of  certain  transactions,  and  displays  connection/transaction 
data  that  can  either  be  logged  or  viewed  during  real-time 
monitoring 

Accepts  audit  logs  from  Unicos  (Cray  UNIX),  Kerberos,  and  a 
common  file  system,  then  analyze  them  and  attempts  to  detect 
intruders  in  real  time 


misuse  detection,  Makes  use  of  the  audit  trails  that  are  collected  by  the  C2  Basic 

state  transition  analysis  Security  Module  of  SunOS  and  keeps  track  of  only  those 

critical  actions  that  must  occur  for  the  successful  completion 
of  the  penetration 

system  monitoring  Monitors  and  manages  the  SunOS  audit  trail  produced  by  the 

system’s  C2  security  features  and  responds  in  real  time  to 
events  that  appear,  and  stores  the  audit  trail 

misuse  detection  Controls  access  to  Web  content  files,  and  can  watch  all  Web 

and  non-Web  accesses,  all  processes,  and  all  changes  to  Web 
and  other  files;  notifies  in  realtime  through  SNMP,  pager,  or 
e-mail  when  anything  suspicious  occurs 

system  monitoring  Monitors  X  connections  by  using  RFC931  to  display  user 

names,  when  the  client  host  supports  RFC931,  and  allows  the 
user  to  freeze  and  unfreeze  connections,  or  kill  them, 
independent  of  the  client  and  independent  of  the  server 


MboEUNG  &  Simu¬ 
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For  more 
information  on 
IATAC  products  & 
reports,  contact 
Alethia  Tucker  at 
703-902-3177. 
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This  unciassi-  /  Abusse* 

tied  report  de-  ' 

scribes  the 
models,  simula¬ 
tions  and  tools 
being  used  or  / 
developed  by  j 
selected  organi-  / 
zations  that  are  j 
chartered  with  j  j 
the  Information 
Assurance  mis- 
sion.  Data  collection  efforts 
focused  on  the  current  defini¬ 
tions  of  Information  Operations, 
Information  Warfare,  and  Infor¬ 
mation  Assurance  as  described 
in  DoD  Directives  S-3600.1, 

‘ Information  Operations,” and 
Chairman,  Joint  Chiefs  of 
Staff  Instruction  651 0.1  A, 

“ Defensive  Information  War  - 
fare  Policy.” In  addition,  the 

•  definitions  prescribed  by 

|  DMSO  for  model  and  simu- 

*  lation  were  used  to  deter¬ 
mine  what  entities  should  be 

included  in  this  IA  models,  sim¬ 
ulations  and  tools  report. 
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Intrusion  Detection 
Report 

This  Information  Assurance 
j  Tools  Report  provides 
™"1  I  an  index  of  intrusion 
I  detection  tool  descrip- 
|  tions  contained  in  the 
I  IATAC  Information  As- 
I  surance  (IA)  Tools 
I  Database.  The  IA  Tools 
j  Database  hosts  informa  - 
1  tion  on  intrusion  detec¬ 
tion,  vulnerability 
.  analysis,  fire- 

!SZJ  walls,  and  anti  -r  . 

virus  software 
applications.  Infor¬ 
mation  was  ob¬ 
tained  via  open 
source  methods, 
including  direct  in¬ 
terface  with  vari¬ 
ous  agencies,  J 

organizations,  J 

and  vendors.  Re-  I 
search  for  this  re-  [j 
port  identified  43  ■ 
intrusion  detection  tools 
currently  employed  and  avail¬ 
able.  Tool  information  includes 
title,  author,  source,  contact  in¬ 
formation  and  tool  abstract. 
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IVhuacus  Ode 
□etecticn  SOAR 

This  IATAC  State-Of-The-A 
Report  (SOAR)  addresses  Ma 
licious  Software  Detection.  In¬ 
cluded  within  the  report  is  a 
taxonomy  for  malicious  soft¬ 
ware  to  provide  the  audience 
with  a  better  understanding  of 
commercial  malicious  software 
An  overview  of  the  current 
state-of-the-art  commercial  me 
licious  software  detection  prod 
ucts  and  initiatives,  as  well  as 
future  trends  is  present* 
I  ed.  The  same  is 
j  then  done  for  cur- 
frent  state-of-the-ah 
fin  regards  to  DoD 
'malicious  software 
detection.  Lastly,  th* 
report  presents  ob¬ 
servations  and  asser 
tions  to  support  the 
DoD  as  it  grapples 
with  this  problem  en¬ 
tering  the  21st  century 
^  'This  report  is  classifiec 
and  has  a  limited  release. 
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The  Dynamic  Secure  STINET 
Service  now  has  added  the  following: 

Secure  STINET’s  Customization 
provides  the  power  to  create  and 
modify  your  own  personalized  web 
page.  See  what  has  changed  in 
STINET  by  filtering  out  what  is  old 
and  concentrating  on  what  is 
JjL  new... set  up  a  personal  profile 
gk  based  on  subject  fields  and 
Irak  groups  and  automatically  re- 
m  ceive  citations  via  e-mai!  to 
JhB  the  latest  accessions  in 
Wmm:  DTIC’s  Technical  Report  col- 
|Br  lection  twice  a  month... save 
Hr  search  queries  for  both  the 
^  Technical  Report  and  Work  Unit  In¬ 
formation  System  collections  for  re¬ 
use. 

Abstracts  are  now  included  with 
citations  to  unclassified/  limited  docu¬ 
ments  in  the  Technical  Reports  Bibli¬ 
ographic  Database.  Viewing 

ahstrart.c:  is  haspri  nn  individual  uspr 


profile  access  restrictions,  if  your 
profile  does  not  permit  you  to  view  a 
particular  citation’s  abstract,  you  will 
be  allowed  to  view  the  rest  of  the  ci¬ 
tation,  minus  the  abstract. 

Over  3,000  full-text  technical  re¬ 
ports  are  now  available  for  viewing 
and  downloading.  Special  Collections 
highlights  reports  found  in  DTIC’s 
Technical  Reports  collection  based 
on  the  source,  topic,  or  targeted 
group.  In  addition  to  setting  up  your 
own  search  parameters,  you  can 
search  using  preestablished  profiles 
developed  by  retrieval  experts. 

The  Partnership  for  Peace  Infor¬ 
mation  Management  System  (PIMS) 
is  designed  to  enhance  the  educa¬ 
tion  of  U.S.  Service  school  students. 
Topic  searches  developed  by  DTIC 
for  the  PIMS  community  provide  in¬ 
formation  ranging  from  air  traffic  con  - 
trol  management  to  public  affairs. 

PIMS  alsn  nffprs  shidpnts  ihp  r.anp- 
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bility  to  construct  custom  searches 
for  information  not  covered  in  the 
topic  searches. 

The  subscription  for  the  Secure 
STINET  Service  access  via  a  web 
client  is  $50  per  year/per  subscribei 
To  subscribe  to  Secure  STINET  Sei 
vice,  contact  DTIC’s  Registration 
Branch: 

Telephone:  (703)767-8272 
DSN  427-8272 
Toll  Free:  800-225-3842 

(menu  selection  2,  option  2, 
sub-option  2) 

Fax:  (703)  767-8228 

DSN  427-8228 
E-mail:  reghelp@dtic.mil 

Questions  concerning  this  prod¬ 
uct  may  be  directed  to  the  Product 
Management  Branch,  DTIC-BCP, 
800-225-3842  (menu  selection  2, 
option  3),  703-767-8267,  or  DSN 
427-8267. 


Continued  from  page  2. 


unctional  teams  are  entitled 
Combat  Support,  Advanced 
Technology,  and  Field  Sup- 
)ort.  Since  the  directorate  is 
elativeiy  small,  with  only  17 
people,  we  leverage  10  “oppo¬ 
sition  force”  and  analytical  ca¬ 
pabilities  of  other  national 
agencies,  service  IW  activities, 
and  contractors. 

The  Protect/Defense  Direc¬ 
orate  supports  six  to  eight 
DINC-sponsored  exercises 
sach  year.  The  Combat  Sup¬ 
port  Team  provides  direct  de- 
ensive  10  support  to  the 
combatant  commander  and 
serves  as  the  joint  coordina- 
ion  focal  point  for  vulnerability 
assessment  (i.e.,  exercise 
DON  OP),  IW  Red  Team  sce- 
aario  development,  external 
agency  coordination,  defen¬ 
sive  10  awareness  training  (as 
equested),  Red  Team  sce- 
lario  execution,  and  After-Ac- 
ion-Reporting. 

The  JC2WC  has  been 
asked  by  OSD  to  perform  vul- 
lerability  assessments  in  sup¬ 
port  of  the  Advanced  Concept 
Technology  Demonstration 
ACTD)  program.  During 
ZY97,  the  Advanced  Technolo¬ 
gy  Team  provided  vulnerability 
assessment  support  for  the 
ollowing  ACTDs:  Rapid  Ter- 
ain  Visualization,  Counter 
Dro!iferation,  Air  Base/Port  Bio 
Detection,  Combat  ID,  Battle¬ 
field  Awareness  and  Data  Dis¬ 
semination,  Joint  Counter- 
nine,  Rapid  Force  Projection 
nitiative,  and  Precision  SIG- 
NT  Targeting  System.  ACTDs 
entatively  planned  for  evalua- 
ion  in  FY98  include  Naviga- 
ion  Warfare,  Joint  Logistics, 
Military  Ops  in  Urban  Terrain, 
Extended  Littoral  Battiespace, 
Dhemica!  Add-on  (to  Air 
3ase/Port  Bio  Detection),  and 
Jnattended  Ground  Sensor, 
/ulnerability  assessment  sup¬ 
port  provides  critical  insight 
nto  system  design  and  allows 


OSD  and  the  Services  to  cor¬ 
rect  deficiencies  before  pro¬ 
duction  and  fielding  of  a 
system.  As  such,  CINC  users 
are  made  aware  of  the  limita¬ 
tions  associated  with  a  system 
before  depending  on  the  infor¬ 
mation  in  an  operational  envi¬ 
ronment.  Other  FY98 
approved  ACTDs  are  still 
under  review  for  assessment. 

The  Field  Support  Team 
functions  as  a  self-sustaining, 
deployable  “IW  Red  Team” 
that  supports  the  Combat 
Support  and  Advanced  Tech¬ 
nology  teams.  Field  Support 
Team  deployable  capabilities 
include  HF/VHF/UHF/  EHF, 
Signal  Intercept  and  DF, 
Radar/IR  Detection,  and  RF 
Jamming.  Instrumentation  as¬ 
sets  include  GPS,  oscillo¬ 
scopes,  pulse  analyzer,  and 
spectrum  analyzer.  In  addi¬ 
tion,  Field  Support  Team  as¬ 
sets  include  shelters, 
generators,  and  cargo  trucks. 

As  the  10  environment  be¬ 
comes  more  complex,  and  the 
Defense  Information  Infra¬ 
structure  more  integrated  with 
the  National  and  Global  Infor¬ 
mation  Infrastructures,  defen¬ 
sive  10  measures  also 
become  more  important  and 
more  difficult  to  assure.  In  any 
case,  we  will  continue  to 
leverage  heavily  off  of  the  re¬ 
sources  and  capabilities  of 
National  agencies  such  as  Na¬ 
tional  Security  Agency  (NSA) 
and  the  Services’  IW  Centers/ 
Activities  in  providing  defen¬ 
sive  10  support  to  the  combat¬ 
ant  commanders.  The  JC2WC 
will  continue  to  strive  to  be  the 
acknowledged  10  leader,  re¬ 
sponsive  to  the  CINCs,  for  in¬ 
tegrating  information 
operations  into  the  overall  mili¬ 
tary  campaign  plan. 

'  CJCSi  5 f  18.01.  Charter  for  the  Joint 
Command  and  Control  Warfare  Center 
15  September  1994. 


Gsnferbmces  &  Symposia 

Fiesta  Informacion  '98 

Convention  Center  •  San  Antonio,  TX 
“The  Virtual  Enterprise  in  the  21st  Century” 

For  information  call  800-564-4220 
14— 16  Apr  98 

10th  Ann.  Software  Technology  Conference 

Salt  Palace  Convention  Ctr,  Salt  Lake  City,  UT 
“Knowledge-Sharing  —  Global  Information  Net¬ 
works.” 

http://www.stc98.org 
19— 24  Apr  98 
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USPACOM 

Information  Assurance  Conference 

Honolulu,  HI 

POC:  SFC  Huff  808-477-1 046 
e-mail:  huffsdOO@hq.pacom.mil 
28— 30  Apr  98 

Introduction  to  Information  Operations 

TS/SCI  clearance,  0-3  through  0-6  and  equiva¬ 
lents. Bolling  AFB,  DC. 

POC:  Mr.  Doug  Dearth 
703-780-2584 
e-mail:  dhdearth@aol.com 
4 — 8  May  98 

Penetration  Testing  Course 

This  course  is  Government  Only.  Booz*Allen  & 
Hamilton  McLean  Campus.  See  page  3  for 
complete  description,  http://www.iatac.dtic.mil 

4  Jun  98 
Fee:  $225.00 

Registration  form  on  back  of  newsletter. 

IIBW9xxx:  Intermediate  Information 
Operations/Warfare  (IBW) 

5  days,  SECRET  clearance  required,  0-4 
through  0-6  and  equivalents,  School  of  Infor¬ 
mation  Warfare  and  Strategy,  National  Defense 
University,  Fort  McNair,  DC 

POC:  Dr.  Fred  Giessler,  202-685-2209 
IBW9804  13 — 17  Jul  98 

IBW9901  12— 23  Oct  98 


Penetration  Testing 
Course  Registration 
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The  Defense- Wide  Information  AssuranceProgram 


by  CAPT  J.  Katharine  Burton ,  USN 
DIAP,  OASD  (C3Q/IA _ _ 


The  Department  of  Defense's 
increasing  dependence  on  a 
global  information  environment 
heightens  its  exposure  and  vul¬ 
nerability  to  a  rapidly  growing 
number  of  sophisticated  internal 
and  external  threats.  Globally 
inter-networked  and  interdepen¬ 
dent  information  systems  tend 
to  level  the  playing  field  between 
allies  and  potential  adversaries. 
These  systems  offer  adversaries 
access  to  potentially  low-risk, 
high-value  information  infra¬ 
structure  targets  with  the  poten¬ 
tial  to  impact  the  full  spectrum 
of  DoD  operations.  Further¬ 
more,  with  each  advance  in  in¬ 
formation  technology,  new  vul¬ 
nerabilities  are  created  that 
must  be  quickly  discovered  and 
effectively  neutralized. 


Before  global  networking  be¬ 
came  commonplace,  the  majority 
of  the  Department's  critical  infor¬ 
mation  functions,  both  command 
&  control  and  support,  were  elec¬ 
trically  separated  in  Component- 
managed  telecommunications  and 
information  processing  environ¬ 
ments.  This  separate-system  con¬ 
dition  had  the  advantage  of  provid¬ 
ing  the  Department's  information 
and  information  systems  a  level  of 
resiliency  and  protection,  forcing 
an  adversary  to  attack  each  inde¬ 
pendently  controlled  environ¬ 
ment.  To  seriously  degrade  the  ag¬ 
gregate  capability  of  the  Depart¬ 
ment,  an  adversary  must  disrupt 
or  corrupt  a  large  number  of  criti¬ 
cal  systems  using  highly  sophisti¬ 
cated  (and  largely  unavailable) 
technologies  that  were  expensive 


in  terms  of  both  time  and  money. 

In  contrast,  the  Department's 
reliance  on  commercial,  globally 
interconnected  information  tech¬ 
nologies  has  markedly  heightened 
its  vulnerability  to  attack.  Today's 
inter-networked  information  tech¬ 
nologies  make  it  possible  to  affect 
many  users,  systems,  and  net¬ 
works  by  attacking  a  single  con¬ 
nection  to  a  single  network.  To  at¬ 
tack  a  large  number  of  systems,  an 
adversary  need  only  find  and  at¬ 
tack  a  single  exploitable  connec¬ 
tion  to  the  system.  These  attacks 
can  be  performed  through  the  use 
of  a  large  and  growing  variety  of 
available  and  inexpensive  hacker 
tools.  Once  inside  a  system,  an  ad¬ 
versary  can  exploit  it,  as  well  as  the 
systems  networked  to  it.  This  glob- 


year,  Air  Force  Lt.  Col.  Buzz  Walsh 
and  Maj.  Brad  Ashley  presented  a 
series  of  briefings  to  top  DoD  lead¬ 
ers  that  raised  more  than  just  a  few 
eyebrows. 

Selected  leaders  were  shown 
how  it  was  possible  to  obtain  their 
individual  social  security  num¬ 
bers,  unlisted  home  phone  num¬ 
bers,  and  a  host  of  other  personal 
information  about  themselves 


mi  lies— sim- 
cruising  the 

it. 

i  and  Ash¬ 
ley,  mem¬ 
bers  of  the 
Pentagon's 
iff,  were  not 
j  a  joke  on 
iaders.  Nor 
..y  }  ley  trying  to 

be  clever.  Rather  they 
were  dramatically,  and  effectively 
demonstrating  the  ease  of  access¬ 
ing  and  gathering  personal  and 
military  data  on  the  information 
highway  —  information  which,  in 
the  wrong  hands,  could  translate 
into  a  vulnerability. 

"You  don't  need  a  Ph.D.  to  do 
this,"  Walsh  said  about  the  ability  to 
gather  the  information.  "There's  no 


by  Paul  Stone 

American  Forces  information  Servic 

rocket  science  in  this  capability. 
What's  amazing  is  the  ease  and 
speed  and  the  minimal  know-how 
needed.  The  tools  (of  the  Net)  are 
designed  for  you  to  do  this." 

The  concern  over  personal  in¬ 
formation  on  key  DoD  leaders 
began  with  a  simple  inquiry  from 
one  particular  flag  officer  who  said 
he  was  receiving  a  large  number  of 
unsolicited  calls  at  home.  In  addi¬ 
tion  to  having  the  general's  unlist¬ 
ed  number,  the  cal  lers  knew  specif- 
ically  who  he  was. 

Too  Much  About  Too  Much 

Beginning  with  that  one  in¬ 
quiry,  the  Joint  Staff  set  out  to  dis¬ 
cover  just  how  easy  it  is  to  collect 
data  not  only  on  military  person- 
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ai  marriage  of  systems  and  net¬ 
works  has  created  a  shared  risk  en  - 
vironment. 

Any  risk  of  weakness  in  any 
portion  of  the  Defense  Information 
Infrastructure  (Dll)  is  a  serious 
threat  to  the  operational  readiness 
of  all  Components.  The  Depart¬ 
ment  is  moving  aggressively  to  en¬ 
sure  the  continuous  availability,  in¬ 
tegrity,  authentication,  confiden¬ 
tiality,  and  non-repudiation  of  its 
information,  and  the  protection  of 
its  infrastructure.  Recent  assess¬ 
ments,  exercises,  and  real-life 
events  clearly  demonstrate  that 
Defense-wide  improvements  in  In¬ 
formation  Assurance  (I A)  are  an 
absolute  and  continuous  opera¬ 
tional  necessity.  We  can  no  longer 
be  satisfied  with  reactive  or  after- 
the-fact  solutions.  As  the  Depart¬ 
ment  modernizes  its  information 
infrastructure,  it  must  continuous¬ 
ly  invest  in  the  research,  develop¬ 
ment,  and  timely  integration  of 
products,  procedures,  and  training 
necessary  to  sustain  its  abi  I  ity  to  de¬ 
fend  and  protect  the  infrastructure. 
Providing  for  the  protection  of  the 
Dll  is  among  the  Department's 
highest  priorities  and  is  one  of  its 
most  formidable  challenges. 

The  Department's  I A  objective 
is  to  provide  for  the  availability,  in¬ 
tegrity,  authentication,  confiden¬ 
tiality,  non-repudiation,  and  rapid 
restoration  of  Dll  mission  essential 
elements.  Critical  to  achieving  this 
objective  is  the  implementation  of 
a  Department-wide  planning  and 
integration  framework.  To  that 
end,  on  January  30  the  Deputy  Sec¬ 
retary  of  Defense,  Dr.  John  J. 
Hamre,  approved  the  creation  of 
the  Defense-wide  Information  As¬ 
surance  Program  (DIAP).  The  rec¬ 
ommendations  of  the  program  are 
the  result  of  several  years  of  effort 
by  the  IA  community,  including: 
•The  October  9,  1996,  Program 
Decision  Memorandum  1 1  (PDM 
II)  directing  that  an  assessment 
be  conducted  by  the 
Department-wide  Information 
Assurance  Task  Force,  and 
•  The  August-September  1997  I A 
Integrated  Process  Team  (IA 


IPT)  effort  directed  by  a 

Secretary  of  Defense  memoran¬ 
dum  of  August  12, 1997. 

The  recommendations  reflect 
the  Department's  understanding 
that  IA  is  an  operational  readiness 
issue  and  that  its  dependence  on 
inter-networked  systems  and  ser¬ 
vices  creates  a  shared  risk  environ¬ 
ment  necessi¬ 
tating  an  un¬ 
precedented 
level  of  coordi¬ 
nation  and 

unity  across  the 
Department. 

The  DIAP  will 
provide  the 

common  man¬ 
agement  frame¬ 
work  and  cen¬ 
tral  oversight 
necessary  to  en¬ 
sure  the  protec¬ 
tion  and  reliability  of  the  Dll.  While 
planning  and  integration  will  be 
centralized,  execution  of  individual 
Components'  programs  will  re¬ 
main  the  responsibility  of  the  Com¬ 
ponents.  A  culture  that  recognizes 
and  values  I A  must  also  be  built 
among  all  Department  Compo¬ 
nents. 

Accordingly, 
the  DIAP  will 
continuously 
compare  De¬ 
partment's  I A 
programs  and 
functions 
against  its  oper¬ 
ational  and 

business  infor¬ 
mation  require¬ 
ments,  De- 

f e n se - w  i  d e 
readiness  stan¬ 
dards,  and  threats  to  the  Dll.  The 
DIAP  will  also  infuse  I A  through¬ 
out  its  operations  as  a  fundamen¬ 
tal  element  of  readiness  and  train¬ 
ing.  Operational  readiness  stan¬ 
dards  wi  1 1  be  used  to  assess  the  ad¬ 
equacy  of  the  protection  afforded 
to  the  Department's  data,  infor¬ 
mation  systems,  and  networks, 
and  to  the  entire  Dll.  This  effort 
will  provide  a  comprehensive  and 


real-time  picture  of  all  I A  pro¬ 
grams.  It  will  enable  the  Depart¬ 
ment  to  accurately  develop,  vali¬ 
date,  and  prioritize  I A  require¬ 
ments;  determine  the  return  on 
its  I A  investments;  and  objective¬ 
ly  assess  its  protection  efforts. 

The  DIAP  achieved  initial  oper¬ 
ational  capability  in  June  1998  with 
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Figure  1 . 

the  assignment  of  the  Staff  Director 
and  other  key  positions.  It  is  in  the 
process  of  achieving  full  opera¬ 
tional  capability  as  staffing  for  the 
various  positions  becomes  avail¬ 
able.  Organizationally,  the  DIAP  re¬ 
ports  to  the  Information  Assurance 
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Figure  2 . 

Directorate  of  the  Office  of  the  As¬ 
sistant  Secretary  of  Defense  for  C3I 
(OASD/C3I)  (Figure  1).  The  DIAP 
is  divided  into  two  teams:  the  Func¬ 
tional  Evaluation  and  Integration 
Team  (FEIT)  and  the  Program  De¬ 
velopment  and  Integration  Team 
(PDIT)  (see  Figure  2).  Between 
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As  our  society  speeds  into 
the  information  Age,  we 
are  growing  increas¬ 
ingly  dependent  on 
a  complex  web  of 
information  sys¬ 
tems  to  manage 
our  lives.  We  use 
computers,  the 
Internet,  and 
other  information 
technologies  to  con¬ 
duct  business,  man¬ 
age  finances,  engage  in 
personal  communications,  and 
process  vast  amounts  of  data. 

This  dependence  on  informa¬ 
tion  systems  also  extends  to  our  Na¬ 
tion's  critical  infrastructures. 
These  infrastructures  (telecommu¬ 
nications,  energy,  banking  and  fi¬ 
nance,  transportation,  and  govern¬ 
ment  operations,  among  others) 
are  the  foundation  of  our  economy, 
national  security,  and  way  of  life; 
virtually  every  citizen  depends  on 
them  everyday.  Technological  ad¬ 
vances  have  made  these  infrastruc¬ 
tures  highly  automated  and  inter¬ 
dependent,  increasing  their  effi¬ 
ciency  and  improving  the  quality 
of  their  services. 

Yet  technological  advances  have 
also  introduced  vulnerabilities  into 
these  infrastructures,  and  more 
people  now  have  the  tools  to  ex¬ 
ploit  them.  For  example,  the  per¬ 
vasiveness  and  easy  accessibility  of 
the  Internet  means  that  anyone 
possessing  the  right  tools  and  tech¬ 
nical  skills  can  penetrate  an  organi¬ 
zation's  information  and  control 
systems  to  steal  data  or  inflict  dam¬ 
age.  Culprits  who  might  commit 
such  acts  include  disgruntled  em¬ 
ployees,  recreational  hackers,  crim¬ 
inal  groups,  terrorist  organizations, 
foreign  intelligence  services,  or 
even  hosti  le  nations. 

The  National  Infrastructure  Pro¬ 
tection  Center  (NIPC)  was  estab¬ 
lished  in  February  1998  to  address 
infrastructure  threats  and  vulnera¬ 
bilities.  Our  mission  is  to  detect, 
deter,  assess,  warn  of,  respond  to, 
and  investigate  unlawful  acts  (both 
physical  and  cyber)  that  threaten 
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our  critical  infrastructures. 
Located  at  FBI  Head¬ 
quarters  in  Vfehing- 
ton,  D.C.,  the  NIPC 
is  an  interagency, 
publ  ic-private 
body  that  brings 
together  investi¬ 
gators,  analysts, 
computer  scien¬ 
tists,  and  other 
experts  from  gov¬ 
ernment  and  private 
industry. 

The  NIPC  focuses  on  pre¬ 
venting  attacks  (learning  about 
them  before  they  occur)  and  tak¬ 
ing  steps  to  prevent  or  disrupt 
them.  This  effort  requires  collect¬ 
ing  and  analyzing  information 
from  all  available  sources  (includ¬ 
ing  law  enforcement,  intelligence 
services,  open  sources,  and  the 
private  sector)  and  disseminating 
our  analyses  to  all  relevant  orga¬ 
nizations.  If  an  attack  occurs,  the 
NIPC  is  the  Federal  Government's 
focal  point  for  crisis  response  and 
investigation. 

The  NIPC  is  built  on  a  founda¬ 
tion  of  partnership.  When  fully 
staffed,  the  NIPC  will  include  rep¬ 
resentatives  from  the  Federal  Gov¬ 
ernment  (including  the  FBI,  De¬ 
partment  of  Defense,  the  Intelli¬ 
gence  Community,  and  others), 
from  the  owners  and  operators  of 
critical  infrastructures  (to  provide 
expertise  and  to  facilitate  coordina¬ 
tion  in  the  event  of  a  crisis),  and 
from  state  and  local  law  enforce¬ 
ment  (to  build  liaison  relationships 
with  emergency  first  responders). 
The  NIPC  also  will  establish  elec¬ 
tronic  connectivity  to  relevant  or¬ 
ganizations  in  government  and  in¬ 
dustry  that  have  or  require  infor¬ 
mation  about  infrastructure  threats 
and  vulnerabilities. 

The  N I  PC's  success  depends  on 
information  sharing.  We  are  devel¬ 
oping  two-way  channels  of  com¬ 
munication  to  facilitate  informa¬ 
tion  flow  regarding  threats,  vulner¬ 
abilities,  and  incidents  between 
government  and  industry.  The 
Federal  Government  has  access  to 
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intelligence  and  law  enforcement 
information  that  is  unavailable  to 
private  organizations.  Simultane¬ 
ously,  the  NIPC  wants  to  learn 
about  the  threats  and  vulnerabili¬ 
ties  experienced  by  these  organiza¬ 
tions.  Sharing  this  important  infor¬ 
mation  will  help  us  to  define  the 
threat  environment  with  greater 
accuracy,  thereby  enabling  us  to 
prevent  or  disrupt  potential  attacks. 

One  current  initiative  is  "Infra¬ 
Gard,''  a  pilot  project  sponsored  by 
the  FBI's  Cleveland  Field  Office  to 
foster  information  sharing  among 
private  industry,  the  FBI,  and  other 
government  agencies.  A  secure, 
Internet-based  system,  InfraGard 
has  an  alert  network  that  members 
can  use  to  report  computer  intru¬ 
sions  to  the  FBI.  Reports  are  sent 
by  encrypted  electronic  mail  (e- 
mail)  in  two  forms:  a  detailed  de¬ 
scription  (which  the  FBI  uses  for 
analysis  and,  if  required,  investiga¬ 
tive  purposes)  and  a  sanitized,  vic¬ 
tim-produced  version  (for  distribu¬ 
tion  to  other  InfraGard  members). 
Approximately  56  organizations 
are  now  involved  in  the  InfraGard 
project,  and  we  are  exploring  op¬ 
tions  for  expanding  it  into  a  nation¬ 
al  system. 

Protecting  our  critical  infrastruc¬ 
tures  in  the  Information  Age  will 
require  creative  solutions  and  new 
ways  of  thinking.  Establishing  the 
NIPC  and  developing  a  productive 
partnership  between  government 
and  industry  are  important  steps  in 
this  direction.  Much  work  remains 
to  be  done,  but  we  look  forward  to 
working  with  our  partners  as  we 
confront  the  challenges  ahead. 

Kenneth  Geide  is  Chief  of  the  FBI's 
Computer  Investigations  and  Operations 
Section  (CIOS).  National  Infostructure 
Pmtection  Center  (NIPC).  Mr.  Geide  initi¬ 
aled  the  FBI's  Economic  Countei intelli¬ 
gence  program  and  was  instrumental  in 
drafting  and  achieving  the  passage  of  the 
Economic  Espionage  Act  of  1996.  He 
received  his  Bachelor's  Dcgive  from  the 
University  of  San  Francisco  and  his 
Master's  Dcgive  from  New  York 
University. 
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nel,  but  the  military  in  general. 
They  used  personal  computers  at 
home,  used  no  privileged  informa¬ 
tion  -  not  even  a  DoD  phone  book  - 
and  did  not  use  any  on-line  ser¬ 
vices  that  perform  investigative 
searches  for  a  fee. 

In  less  than  five  minutes  on  the 
Net  Ashley,  starting  with  only  the 
general's  name,  was  able  to  extract 
his  complete  address,  unlisted 
phone  number,  and  using  a  map 
search  engine,  build  a  map  and  dri¬ 
ving  directions  to  his  house. 

Using  the  same  techniques  and 
Internet  search  engines,  they  visit¬ 
ed  various  military  and  military-re¬ 
lated  web  sites  to  see  how  much 
and  the  types  of  data  they  could 
gather.  What  they  discovered  was 
too  much  about  too  much,  and 
seemingly  too  little  concern  about 
the  free  flow  of  information  versus 
what  the  public  needs  to  know. 

For  example,  one  web  site  for  a 
European-based  installation  pro¬ 
vided  more  than  enough  informa¬ 
tion  for  a  potential  adversary  to 
learn  about  its  mission  and  to  pos¬ 
sibly  craft  an  attack.  Indeed,  the 
web  site  contained  an  aerial  pho¬ 
tograph  of  the  buildings  in  which 
the  communication  capabilities 
and  equipment  were  housed.  By 
pointing  and  clicking  on  any  of  the 
buildings,  a  web  surfer  would 
learn  the  name  of  the  communi¬ 
cations  system  housed  in  the 
building  and  its  purpose. 

"DATAMINI  NG"  MADE  EASY 

Taking  their  quest  for  easi  ly  ac¬ 
cessible  information  one  step  fur¬ 
ther,  the  Joint  Staff  decided  to  see 
how  much  information  could  be 
collected  just  by  typing  a  military 
system  acronym  into  an  Internet 
search  engine.  While  not  everyone 
would  be  familiar  with  defense-re¬ 
lated  acronyms,  many  of  them  are 
now  batted  around  the  airwaves 
on  talk  shows  and  on  the  Internet 
in  military-related  chat  rooms. 
They  soon  discovered  how  easy  it 
was  to  obtain  information  on  al¬ 
most  any  topic,  with  one  web  site 
hyper- 1  inking  them  to  another  on 
the  same  topic. 


What  the  Joint  Staff  was  doing 
when  they  collected  their  informa¬ 
tion  is  commonly  called  "data  min¬ 
ing"  —  surfing  the  Net  to  collect  bits 
of  information  on  individuals,  spe¬ 
cific  topics  or  organizations,  and 
then  trying  to  piece  together  a  com¬ 
plete  picture.  Individuals  do  it,  or¬ 
ganizations  do  it  and  some  compa¬ 
nies  do  it  for  profit. 

While  the  information  they  dis¬ 
covered  presented  legitimate  con¬ 
cerns,  it  wasn't  all  negative.  The 
Army's  Ft.  Bel  voir,  Va.,  home  page 
was  cited  as  one  example  of  a  web 
site  which  served  the  needs  of  both 
the  military  and  the  public.  It  had 
the  sort  of  information  families  or 
interested  members  of  the  public 
need  and  should  get. 

So  what  does  all  this  mean?  Is 
DoD  creating  individual  and  insti¬ 
tutional  security  problems?  In  the 
rush  to  make  information  available 
to  the  internal  audience,  is  too 
much  being  made  available  to  the 
public  and  those  who  might  want 
to  inflict  harm? 

The  Joint  Staff  doesn't  pretend 
to  have  all  the  answers  to  these 
questions,  but  is  encouraging 
users  to  think  about  these  issues 
whenever  they  put  information  on 
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the  Internet;  and  they  believe  that, 
in  some  cases,  DoD  is  it's  own 
worst  enemy. 


Need  To  Know  vs  Right  Too  Know 

Michael  J.  White,  DoD's  assis¬ 
tant  director  for  security  counter¬ 
measures,  agrees  with  the  Joint 
Staff  analysis.  Moreover,  as  a  secu¬ 
rity  expert,  he  is  concerned  DoD 
does  indeed  exceed  what  needs  to 
be  on  the  Internet. 

"For  fear  of  not  telling  our  story 
well  enough,  we  have  told  too 
much,"  he  said.  "Personally,  I 
think  there's  too  much  out 
there... and  you  need  to  stop  and 
ask  the  question:  Does  this  next 
paragraph  really  need  to  be  there, 
or  can  I  extract  enough  or  abstract 
enough  so  that  the  intent  is  there 
without  the  specificity?  And  that  is 
hard  to  do  because  we  are  pressed 
every  day.  So  sometimes  expedi¬ 
ency  gets  ahead  of  pausing  for  a 
minute  and  thinking  through  the 
process:  Does  the  data  really  need 
to  be  there?  Is  it  going  to  hurt  me 
tomorrow  morning? 

DoD's  policy  on  releasing  infor¬ 
mation  to  the  public,  as  spelled  out 
by  Defense  Secretary  William 
Cohen  in  April  1997,  requires  DoD 
"to  make  available  timely  and  accu¬ 
rate  information  so  that  the  public, 
Congress  and  the  news  media  may 
assess  and  understand  the  facts 
about  national  security  and  de¬ 
fense  strategy."  The  same  state¬ 
ment  requires  that  "information  be 
withheld  only  when  disclosure 
would  adversely  affect  national  se¬ 
curity  or  threaten  the  men  and 
women  of  the  Armed  Forces." 

"On  the  one  hand,"  Ashley  said, 
"we  have  fast,  cheap  and  easy  glob¬ 
al  communication  and  coordina¬ 
tion.  On  the  other  hand,  we  find 
ourselves  protecting  official  infor¬ 
mation  and  essential  elements  of 
information  against  point-and-click 
aggregation.  Clearly,  this  balancing 
act  is  a  function  of  risk  manage¬ 
ment.  Full  openness  and  full  pro¬ 
tection  are  equal  ly  bad  answers.  We 
have  a  serious  education,  training 
and  awareness  issue  that  needs  to 
be  addressed." 
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The  Joint  Staff  repeatedly  re¬ 
turns  to  the  issue  of  "point-and- 
click  aggregation"  as  a  problem  that 
is  often  overlooked  when  military 
personnel  and  organizations  place 
data  on  the  Internet.  What  they're 
referring  to  is  the  ability  to  collect 
bits  of  information  from  several  dif¬ 
ferent  web  sites  to  compile  a  more 
complete  picture  of  an  individual, 
issue  or  organization  with  very  lit¬ 
tle  effort. 

"The  biggest  mistake  people 
make  is  they  don't  understand  how 
easy  it  is  to  aggregate  information/' 
Walsh  said. 

T he  lesson  from  this  is  that  even 
though  what  is  posted  on  the  Net  is 
perfectly  innocent  in  and  by  itself, 
when  combined  with  other  existing 
information,  a  larger  and  more 
complete  picture  might  be  put  to¬ 
gether  that  was  neither  intended 
nor  desired. 

A  more  obvious  problem,  yet 
still  one  not  always  considered 
when  posting  information  on  the 
Internet,  is  that  the  "www"  in  web 
site  addresses  stands  for  "world 
wide"  web.  Information  posted 
may  be  intended  only  for  an  inter¬ 
nal  audience  -  perhaps  even  a  very 
small  and  very  specific  group  of 
people.  But  on  the  Net,  it's  available 
to  the  world. 

This,  security  experts  agree,  is 
an  enormous  change  from  the  time 
when  foreign  intelligence  gather¬ 
ing  was  extremely  labor  intensive 
and  could  only  be  done  effectively 
on  U.S.  soil. 

"If  I'm  a  bad  guy,  I  can  sit  back 
in  the  security  of  my  homeland 
and  spend  years  looking  for  a  vul¬ 
nerability  before  I  decide  to  take  a 
risk  and  commit  resources/'  Ashley 
said.  "I'm  at  absolutely  no  risk  by 
doing  that.  I  can  pick  out  the  most 
lucrative  targets  before  hand,  and 
may  even  just  bookmark  those  tar¬ 
gets  for  future  use.  We  won't  know 
something  has  been  compromised 
until  its  too  late." 

White  agrees  with  the  Joint 
Staffs  concern.  "You  can  sit  in  Ger¬ 
many  and  have  access  to  the  Unit¬ 
ed  Statesjust  as  easily  as  you  can  in 
Australia  or  the  People's  Republic 
of  China  or  Chile/'  White  said.  "It 
doesn't  matter  where  you  are.  You 


can  go  back  and  forth  and  in  be¬ 
tween  and  lose  your  identity  on  the 
net  instantaneously.  Those  who 
seek  to  use  the  system  feel  com¬ 
fortable  they  won't  be  discovered." 

FOUO  Means  FOUO 

In  addition  to  these  issues,  secu¬ 
rity  experts  see  another  recurring 
and  disturbing  problem.  In  the 
rush  to  take  advantage  of  the  Net's 
timeliness  and  distribution  capabil¬ 
ities,  military  personnel  are  forget¬ 
ting  about  or  ignoring  the  For  Offi¬ 
cial  Use  Only  policies  which  previ¬ 
ously  made  the  information  more 
difficult  to  obtain.  Yet  anyone  using 
the  Internet  doesn't  have  to  ven¬ 
ture  far  into  the  array  of  military 
web  sites  to  come  across  one  which 

"We  tiave  a  serious 
education,  training 
and  awareness  issue 
that  needs  to  be 
addressed." 

states:  "For  Official  Use  Only." 

If  the  information  is  For  Official 
Use  Only,  security  experts  said  web 
site  developers,  managers  and 
commanders  must  ask  themselves 
whether  the  information  should  be 
there  in  the  first  place. 

While  officials  are  most  con¬ 
cerned  about  the  information 
being  placed  on  military  web 
sites,  they  had  similar  warnings 
about  individual  or  family  web 
sites.  The  Joint  Staff  recommends 
the  same  precautions  should 
apply  at  home,  especially  as  per¬ 
sonnel  move  into  high-ranking, 
key  leadership  positions. 

ITS  A  COMMANDER'S  ISSUE 
•  At  a  time  when  the  flow  of  in¬ 
formation  is  beyond  anyone's  capa- 
bility  to  either  digest  it  or  control  its 
direction,  it's  not  likely  the  prob¬ 
lems  brought  forward  recently  by 
the  Joint  Staff  will  be  solved  any 
time  soon.  The  first  step,  security 
experts  said,  is  awareness  the  prob¬ 
lems  exist.  Commanders  have  to 


understand  not  just  the  informa¬ 
tion  capabilities  of  the  world  wide 
web,  but  the  information  vulnera¬ 
bilities  as  well. 

The  second  step,  VWlsh  pointed 
out,  is  for  commanders  to  become 
actively  involved  in  the  issue  of 
what's  being  put  on  the  Internet. 
Current  DoD  policies  require  that 
local  commander,  public  affairs 
and  security  reviews  prior  to  re¬ 
lease  of  data  on  web  pages.  But  the 
flow  of  information  is  so  great, 
these  reviews  may  not  be  occur¬ 
ring  and  few  are  looking  at  the  ag¬ 
gregation  problem. 

"I  think  it  would  be  very  appro¬ 
priate  for  a  public  affairs  officer  to 
be  the  commander's  lead  represen¬ 
tative,"  Walsh  said.  "But  it's  a  com¬ 
mander's  issue  and  it  should  go 
down  command  lines.  This  is  cer¬ 
tainly  an  operational  security  issue. 
Just  like  operational  security  is 
everybody's  business,  this  ultimate¬ 
ly  is  everyone's  responsibility." 

White  concurred  and  recom¬ 
mends  installations  create  "securi¬ 
ty-integrated  product  teams"  which 
would  be  tasked  to  develop  and  im¬ 
plement  guidelines  for  creating  and 
monitoring  web  sites  on  the  instal¬ 
lation. 

"I  think  having  a  group  come 
together  before  the  (web  site  de¬ 
velopment)  process  begins  will  re¬ 
move  an  awful  lot  of  pain  in  the 
long  run,"  White  said.  "We  need  to 
step  back  one  step  and  think  be¬ 
fore  we  begin  any  effort,  because 
once  it's  done  you  can't  undo  it. 
That  makes  it  very  hard  in  a  digi¬ 
tal  environment." 

Although  it's  not  possible  to  re¬ 
trieve  what's  already  on  the  world¬ 
wide  web,  nor  predict  how  it  will  in¬ 
fluence  future  security  issues, 
VWlsh,  Ashley  and  White  believe 
it's  not  too  late  to  make  a  differ¬ 
ence.  With  a  little  more  forethought 
and  a  lot  more  planning,  it  will  be 
possible  to  better  protect  the  next 
generation  of  warfighters,  both  on 
and  off  the  battlefield,  they  said. 

Previously  released  September  25. 
1998  via  DefmwLink.  Horn  the  American 
Forms  Information  Service  News  Articles. 
Downloadable  version  is  available  at 
http://\vcbsccurit\ :  alls.  osd.  mil. 
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Intrusion Detection 


The  Information  Systems  Tech¬ 
nology  Group  of  MIT  Lincoln  Lab¬ 
oratory,  under  Defense  Advanced 
Research  Projects  Agency  Informa¬ 
tion  Technology  Office  (DARPA/ 
ITO)  and  Air  Force  Research  Labo¬ 
ratory  (AFRL/SNHS)  sponsorship, 
is  collecting  and  distributing  the 
first  standard  corpus  for  evaluating 
computer  network  intrusion  detec¬ 
tion  systems.  Along  with 
AFRL/SNHS,  we  are  also  coordi¬ 
nating  the  first  formal,  repeatable, 
and  statistically  significant  evalua¬ 
tion  of  intrusion  detection  systems. 
This  evaluation  will  measure  prob¬ 
ability  of  detection  and  probability 
of  false  alarm  for  each  system 
under  test. 

This  evaluation  will  contribute 
significantly  to  the  intrusion  de¬ 
tection  research  field  by  providing 
direction  for  research  efforts  by 
objectively  calibrating  current 
technology.  The  evaluation  is  de¬ 
signed  to  be  simple,  to  focus  on 
core  technology  issues,  and  to  en¬ 
courage  wide  participation.  We 
have  tried  to  eliminate  security 
and  privacy  concerns,  and  we  are 
providing  data  types  that  are  used 
commonly  by  the  majority  of  in¬ 
trusion  detection  systems. 

fectinical  Objective 

The  evaluation  objectively  mea¬ 
sures  intrusion  detection  systems' 
ability  to  detect  attacks  on  comput¬ 
er  systems  and  networks.  The  eval¬ 
uation  focuses  on  UNIX  worksta¬ 
tions,  and  the  goal  is  to  determine 
whether  any  of  the  following  attack 
events  occurred  or  were  attempted 
during  a  given  network  session: 

•  Denial  of  service; 

•  Unauthorized  access  from  a 

remote  machine; 

•  Unauthorized  access  to  local 

superuser  privileges  by  a  local 

unprivileged  user; 

•  Surveillance  and  probing;  and 

•  Anomalous  user  behavior. 

Network  sessions  used  for  scor¬ 
ing  the  evaluation  are  complete 
TCP/IP  connections,  which  corre¬ 
spond  to  interactions  using  many 


System  Evaluation 


by  Dr.  Marc  A.  Zissman  &  Dr.  Richard  Pj 
Lippmann,  Lincoln  Laboratory ;  MIT 


services  including  telnet,  HTTP 
SMTP,  FTP,  finger,  rlogin,  and  oth¬ 
ers.  Because  the  evaluation  is  based 
on  the  context  of  normal  computer 
use  on  a  military  base,  the  frequen¬ 
cy  and  character  of  the  network 
sessions  generated  for  each  of  these 
services  reflea  their  aaual  usage  at 
Air  Force  bases  worldwide.  The 


mal  background  traffic  sessions, 
the  current  evaluation  will  allow  us 
to  measure  both  detection  and  false 
alarm  rates  simultaneously. 

Data  and  Guidelines 

Before  the  evaluation  begins, 
seven  weeks  of  training  data  will  be 
made  available  to  the  participants. 


Simulation  Network 
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Figure  1.  The  Lincoln  simulation  network  is  used  to  generate  traffic  for  the 
DARPA  1998  evaluation.  The  network  has  an  ‘ inside /  which  represents  a 
military  base,  and  an  outside,  "which  represents  the  internet  'Though  the  net¬ 
work  contains  only  10  computers .  it  is  capable  of  producing  traffic  from  thou¬ 
sands  of  simulated  computers  and  hundreds  of  simulated  users. 


evaluation  is  designed  to  foster  re¬ 
search  progress,  with  the  following 
four  goals: 

1.  Explore  promising  new  ideas  in 
intrusion  detection; 

2.  Develop  advanced  technology 
incorporating  these  ideas; 

3.  Measure  the  performance  of  this 
technology;  and 

4.  Compare  the  performance  of 
various  newly  developed  and 
existing  systems  in  a  systematic, 
careful  way. 

Previous  evaluations  of  intru¬ 
sion  detection  systems  have  tended 
to  focus  exclusively  on  the  proba¬ 
bility  of  deteaion,  without  regard  to 
probability  of  false  alarm.  By  em¬ 
bedding  attack  sessions  within  nor¬ 


These  data  will  be  used  to  config¬ 
ure  intrusion  detection  systems 
and  train  free  parameters.  General¬ 
ly,  the  types  of  training  data  pro¬ 
vided  wi  1 1  be  those  that  are  used  by 
most  current  commercial  and  re¬ 
search  intrusion  detection  systems, 
e.g.,  network  packet  traffic,  host 
audit  files,  and  file  system  dumps. 
These  data  will  be  labeled  individu¬ 
ally  as  either  normal  or 
attack/anomalous.  Later,  a  set  of 
test  data  will  be  made  available. 
Evaluation  participants  will  run 
their  systems  blindly  over  the  test 
data  and  will  submit  the  system 
hypotheses  for  scoring. 

Both  the  training  and  the  testing 
data  will  be  extracted  from  a  simu- 
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lation  network  of  about  a  dozen 
workstations  (see  Figure  1  on  op¬ 
posite  page).  With  kernel  modifica¬ 
tions  made  available  by 
AFRL/SNHS  and  other  custom 
software,  these  few  workstations 
can  emulate  thousands  of  worksta¬ 
tions  with  hundreds  of  users.  Both 
normal  use  and  attack  sessions  will 
be  present.  Distributions  of  normal 
session  types  and  normal  session 
content  will  be  similar  to  that  on 
military  bases.  Attack  sessions  will 
contain  old,  recent,  and  new  at¬ 
tacks.  Most  network  sessions  are 
run  automatically,  while  a  small 
number  of  sessions  are  generated 
by  live  users.  Seven  weeks  of  net¬ 
work  traffic  are  available  for  train¬ 
ing,  and  another  two  weeks  will  be 
used  for  evaluation.  In  a  1 1,  the  eval¬ 
uation  corpus  will  contain  millions 
of  network  connections. 

There  are  two  parts  to  the  in¬ 
trusion  detection  evaluation.  The 
first  part  is  an  off-line  evaluation. 
Network  traffic  and  audit  logs  col¬ 
lected  on  a  simulation  network 
will  serve  as  input  to  intrusion  de¬ 
tection  systems  under  test.  These 
systems  will  process  data  in  batch 
mode,  trying  to  find  the  attack  ses¬ 
sions  in  the  midst  of  normal  activ¬ 
ity.  The  second  part  of  the  evalua¬ 
tion  is  conducted  in  real-time.  Sys¬ 
tems  will  be  delivered  to 


AFRL/SNHS  and  inserted  into 
their  network  testbed.  Again,  the 
job  of  the  detection  system  is  to 
find  the  attack  sessions  in  the 
midst  of  normal  background  activ¬ 
ity.  Some  systems  may  be  tested 
in  off-line  mode,  some  in  real-time 
mode,  and  some  in  both  modes. 

Schedule 

Data  for  this  first  evaluation  wi  II 
be  made  available  during  the  fall 
of  1998.  The  evaluation  itself  will 
occur  in  October  and  November.  A 
follow-up  meeting  for  evaluation 
participants  and  other  interested 
parties  will  be  held  in  December 
to  discuss  research  findings.  All 
R&D  sites  that  find  the  task  and 
the  evaluation  of  interest  are  invit¬ 
ed  to  participate. 

For  more  information  or  to  re¬ 
quest  copies  of  the  training  corpus, 
contact: 

Dr.  Marc  A.  Zissman  or 
Dr.  Richard  P.  Lippmann 
Lincoln  Laboratory 
Massachusetts  Institute  of  Technol¬ 
ogy,  Information  Systems 
Technology  Group 
244  Wood  Street 
Lexington,  MA  02420-9185 
Voice:  781.981.7625 
Fax:  781.981.0186 

Email:  INTRUSION@SST.LL.MIT.EDU 
http://WWW.LLMIT.EDU/IST/ 


For  specific  information  on  the 
real-time  evaluation,  contact: 
Terrence  (Terry)  G.  Champion  Air 
Force  Research  Laboratory 
Electromagnetics  Technology  Divi¬ 
sion  ,  I NFOSEC  Technology  Office, 
Building  1124 

Hanscom  AFB,  MA  01731-5000 
Voice:  781.377.2068 
Fax:  781.377.2563 

Email:  TGC@SAPPHO.RLAF.MIL 

Marc  A.  Zissman  received  the  S.B. 
degnx  in  comparer  science  from  MI  T  in 
1985,  ancitheSR.  S.M,  and  PhD,  degrees 
in  ekctrical  engineering  a//  from  MTV  in 
1986}  1886,  and  1999,  msfxnively  Pie  is 
present!)  ■  assistant,  leader  of  the  Information 
Systems  Technology  Group  at  MIT  Lincoln 
Labovatay ;  where  his  research  focuses  on 
digital  speech  processing  and  computer  net  ¬ 
work  security.  He  may  be  ivached  at 
MAZ(^'SSTIJLKWr,EDU. 

Richard  P.  Lippmann  imdved  a  B.S.  in 
electrical  engineering  from  tlx *  Poh  technic 
Institute  of  Brooklyn  in  1970  and  a  PhD.  in 
electrical  cngirxvring  farm  the  A  Tassachusetis 
Jnstiu.  tie  oflkhnokyyin  1978.  He  is  present¬ 
ly  a  senior  staff  nr  mlxr  in  O  r  Information 
Systems  Tkhmkgv  Gnrup  at  MIT  Lincoln 
Lalxratory .  where  his  research  8  ruses  on 
speech  mrgnition  and  the  application  of 
neural  networks  and  statistics  to  problems  in 
compiler  intrusion  detection.  He  may  be 
wachx!  at  RPLiiPSSTLLMJT.EDU. 


growing  challenges  of  a  dynamic, 
global  information  environment. 
Through  this  process,  the  Depart¬ 
ment  will  be  able  to  leverage  infor¬ 
mation  and  information  technolo¬ 
gy  to  enhance  the  efficiency  of  its 
business  activities  and  the  impact 
of  its  military  operations. 

CAFF  Burton  receive!  her  M.S.  in 
National  Security  Strategy  from  the 
National  War  College  and  her  M.A.  in 
Management  Infonvation  Systems  from 
George  Washington  University.  She  is  cur¬ 
rently  assigned  as  the  Staff  Director: 
Defense  Wide  Information  Assurance 
Program  (DIAP).  in  the  Information 
Assurance  Directorate  of  the  Office  of  the 
Assistant  Secretary  of  Defense  for 
Command ",  Control.  Communication  and 
Intelligence. 


them,  these  two  teams  accomplish 
the  overall  mission,  tasks,  and  func¬ 
tions  of  the  DIAP  and  are  staffed  by 
a  combination  of  Service,  Joint 
Staff,  OSD,  and  Defense  Agency 
personnel.  The  FEIT  consists  of 
eight  functional  areas,  including 
Readiness  Assessment,  Human  Re¬ 
sources  Development,  Operational 
Policy  and  Doctrine  Implementa¬ 
tion,  Security  Management,  Opera¬ 
tional  Monitoring,  Architectural 
Standards  and  System  Transforma¬ 
tion,  Acquisition  and  Product  De¬ 
velopment,  and  Research  and 
Technology.  These  team  members 
are  the  DIAP's  principal  evaluators 
for  each  functional  area  and  will 
continuously  evaluate  Component 
I A  programs  to  ensure  the  Defense¬ 
wide  application  of  these  functions 
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cMw  continued  from  page  2 

is  consistent,  integrated,  efficient, 
and  programatically  supported. 
The  PDIT  will  provide  for  the  over¬ 
sight,  coordination,  and  integration 
of  the  Department's  I A  resource 
programs.  The  sum  total  of  these 
activities  will  ensure  the  Depart¬ 
ment's  I A  operational  capabilities 
to  protect,  detect,  and  respond  are 
appropriately  met. 

The  transformation  of  I A  from  a 
largely  technical  issue  to  an  opera¬ 
tional  imperative  is  critical  to  suc¬ 
cess  of  the  Department's  I A  strate¬ 
gy.  The  DIAP  constitutes  a  signifi¬ 
cant  management,  organizational, 
and  cultural  change  within  the  De¬ 
partment.  It  will  ensure  that  the 
Department's  I A  programs  extend 
beyond  traditional  Service  and 
Agency  perspectives  to  meet  the 
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The  IATAC 

Information 
Assurance  Tools 
Database  hosts 
information  on 
intrusion  detec  - 
tion,  vulnerabil  - 
ity  analysis, 
firewalls  and 
antivirus  appli  - 
cations.  A  brief 
summary  of 

FIREWALL 
TOOLS  is  pro¬ 
vided  on  these 
two  pages.  For 
more  informa  - 
tion,  see  the 
IATAC  Product 
Order  Form  on 
page  15. 


TITLE 

COMPANY 

KEYWORDS 

URL 

AltaVista 

Firewall  98 

Digital  Internet 
Solutions 

Firewall,  Application-Level 

Gateway,  VPN 

http://www.altavista.software. 

digital.com 

AS/400 

IBM,  Inc. 

Firewall,  Application  Gateway, 

Packet  Filtering 

http://www.ibm.com 

Border 

Manager 

Novell,  Inc, 

Firewall,  Packet  Filtering, 
Circuit-Level  Gateways, 
Application-Level  Gateways 
(Proxies),  NAT,  VPN 

http://www.novell.com 

BorderWare 

Firewall 

Server 

BorderWare 
Technologies,  Inc. 

Firewall;  Tri-Level:  Packet 

Filtering,  Circuit-Level  Gateways, 
and  Application  Proxies;  NAT,  VPN 

http://www.borderware.com 

Brimstone/ 

Freestone 

SOS  Corporation 

Firewall,  Hybrid 

http://www.soscorp.com 

Checkpoint 

Firewall-1 

Check  Point 

Firewall,  Stateful  Inspection, 

Proxies,  NAT,  VPN 

http://www.checkpoint.com 

cIPro-FW 

Radguard 

Firewall,  Multi-Layer  Probing 
(MLP),  NAT,  VPN 

http://www.radguard.com 

ConSeal 

PC  Firewall 

Signal  9  Solutions 

Firewall,  Packet  Filtering, 

NAT,  VPN 

http://www.signal9.com 

CyberGuard 
for  NT 

CyberGuard 

Corporation 

Firewall,  Hybrid,  NAT 

http://www.cyberguard.com 

CyberGuard 
for  UnixWare 

CyberGuard 

Corporation 

Firewall,  Hybrid,  NAT 

http://www.cyberguard.com 

Elron  Firewall 

Elron  Software,  Inc. 

Firewall,  Stateful  Inspection, 

NAT,  VPN 

http://www.elronsoftware.com 

eNetworkfor  IBM,  Inc. 

AIX/ Windows  NT 

Firewall,  Hybrid,  NAT,  VPN 

http://www.ibm.com 

Firebox  100/ 
Firebox  II 

WatchGuard 
Technologies,  Inc 

Firewall,  Stateful  Packet  Filtering, 
Transparent  Proxies,  NAT,  VPN 

http://www.watchguard.com 

Firewall  for 
Windows  NT 

Secure  Computing 

Firewall,  Application  Gateway 
(Proxies) 

http://www.elronsoftware.com 

Gauntlet 

Trusted 

Information  Systems 

Firewall,  Application  Gateway,  VPN 

http://www.tis.com 

GemGuard 

Gemini  Computers 

Firewall,  Trusted  Packet 

Filtering,  VPN 

http://www.geminisecure.com 

GNAT  Box 

Global  Technology 

Firewall,  Stateful  Packet  Inspection, 
Application  Techniques,  NAT 

http://www.gnatbox.com 

Guardian 

NetGuard,  Ltd. 

Firewall,  Stateful  Inspection, 

NAT,  VPN 

http://www.ntguard.com 

Guardlt 

Computer 

Associates 

Firewall,  Hybrid,  NAT 

http://www.cai.com 

He@tSeekerPro  Fortress 

Technologies 

Firewall,  Packet  Filtering 

http://www.fortresstech.com 

ICE.BLOCK 

J.  River,  Inc. 

Firewall,  Packet  Filtering 

http://www.jriver.com 

Interceptor 

Technologic,  Inc. 

Firewall,  Application  Proxies,  VPN 

http://www.tlogic.com 
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TITLE 

COMPANY 

KEYWORDS 

URL 

InterLock 

Service 

WorldCom 

Advanced  Networks 

Firewall,  Application-Level  Proxy 

http://www.ans.net 

IOS  Firewall 
Feature  Set 

Cisco  Systems 

Firewall,  Packet  Filtering, 

NAT,  VPN 

http://www.cisco.com 

Lucent 

Managed  Firewall 

Lucent 

Technologies,  Inc. 

Firewall,  Packet  Filtering 

http://www.lucent.com 

LuciGate 

Lucidata 

Firewall,  Packet  Filtering,  NAT 

http://www.lucidata.com 

NetGate 

Small  Works,  Inc. 

Firewall,  Packet  Filtering  and 

Routing  Package,  VPN 

http://www.smallworks.com 

NetScreen-100/ 

NetScreen-10 

NetScreen 

Technologies 

Firewall,  Dynamic  Filter,  NAT 

http://www.netscreen.com 

Norman 

Firewall 

Norman  Data 
Defense 

Firewall,  Dual-homed  Gateway, 
Application  Proxies,  NAT 

http://www.norman.com 

PIX 

Cisco  Systems 

Firewall,  Hybrid,  NAT 

http://www.cisco.com 

PORTUS-ES 

Livermore  Software 
Laboratories 

Firewall,  Proxies,  NAT,  VPN 

http://www.lsli.com 

PrivateWire 

Cylink  Corporation 

Firewall,  Dynamic  Packet 

Filtering,  VPN 

http://www.cylink.com 

PyroWall 

Radguard 

Firewall,  Multi-Layer  Probing 
(MLP),  NAT,  VPN 

http://www.radguard.com 

Raptor  for  NT 

Axent 

Technologies 

Firewall,  Hybrid  (Application-level 
proxies,  Packet  Filtering),  NAT,  VPN 

http://www.axent.com 

Raptor  for 

Solaris 

Axent 

Technologies 

Firewall,  Hybrid  (Application-level 
proxies,  Packet  Filtering),  NAT,  VPN 

http://www.axent.com 

Secure  Access 

Ascend 

Firewall,  Hybrid,  VPN 

http://www.ascend  .com 

SecurIT  Firewall 
for  Solaris 

Milkyway  Networks 

Firewall,  Application  and  Circuit 

Level  Gateway,  Proxy  Servers 

http://www.milkyway.com 

SecurIT  Firewall 
for  Windows  NT 

Milkyway  Networks 

Firewall,  Application  and  Circuit 

Level  Gateway,  Proxy  Servers 

http://www.milkyway.com 

SecureWare 

NetWall 

Bull  HN  Information 
Systems 

Firewall,  Hybrid,  NAT,  VPN 

http://www.bull.com 

Sidewinder 

Secure  Computing 

Firewall,  Application  Gateway 
(Proxies),  VPN 

http://www.securecomputing.com 

SmartWall 

V-ONE  Corporation 

Firewall,  Packet  Filtering, 

Proxies,  NAT,  VPN 

http://www.v-one.com 

Solstice 

Firewall-1 

Sun  Microsystems 

Firewall,  Stateful  Inspection,  VPN 

http://www.sun.com/security 

SonicWALL 

Sonic  Systems,  Inc. 

Firewall,  Stateful  Inspection,  NAT 

http://www.sonicsys.com 

StoneBeat 

Stonesoft 

Corporation 

Firewall,  High  Availability 

http://www.stonebeat.com 

Telaxian  Shield 
Firewall  Server 

Network 

Engineering 

Firewall,  Hybrid,  NAT,  VPN 

http://www.fireants.com 

WinGate 

Deerfield  Com¬ 
munications,  Inc. 

Firewall,  Proxy  server 

http://www.deerfield.net 
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Across  Multiple  Domains 


by  Donald  L.  Tobin ,  Jr. 
Uni  varsity  of  Idaho 


In  the  national  defense  arena, 
most  analysts  pay  little  attention 
to  the  isolated  cases  of  computer 
intrusions  reported  almost  weekly 
in  the  news.  If  analysts  became 
aware  of  a  pattern  of  attacks  di¬ 
rected  at  a  variety  of  networks 
and  domains,  however,  this  infor¬ 
mation  might  well  warrant  height¬ 
ened  attention.  Our  research  ef¬ 
forts  at  the  University  of  Idaho  are 
directed  in  part  at  developing  a 
prototype  to  supply  multiple- 
domain  information. 

Commercial  intrusion  detec¬ 
tion  systems  protect  only  a  single 
network  or  a  collection  of  net¬ 
works  in  a  single  domain,  such  as 
pentagon.mil  or  lajes.af.mil. 
These  limitations  make  it  difficult 
even  to  detect  a  sweep  or  scan  at¬ 
tack  against  multiple  government 
and  military  installa¬ 
tions  in  a  single  geo¬ 
graphic  area,  espe¬ 
cially  if  they  repre¬ 
sent  different  de¬ 
partments  like  the 
Department  of  De¬ 
fense  and  the  De¬ 
partment  of  Energy, 
or  different  services,  such  as  the 
Army,  Air  Force,  and  Navy.  A 
seemingly  insignificant  intrusion 
at  one  location  would  acquire 
much  greater  importance  if  col¬ 
laboration  among  the  installations 
revealed  a  coordinated  set  of  at¬ 
tacks.  Therefore,  some  form  of 
data  sharing  is  needed  to  detect 
systemic  attacks  against  the  na¬ 
tion's  critical  information  infra¬ 
structure  that  involve  multiple 
hosts  and  domains. 

To  help  address  these  con¬ 
cerns,  we  have  developed  a  proto¬ 
type  called  HMMR  (Hierarchical 
Management  of  Misuse  Reports) 
or  Hummer.  The  prototype  and 
its  source  code  are  available  at 
http:/ /www.  cs.uidaho.edu/-hum 
mer.  When  HMMR  is  fully  de¬ 
ployed,  every  host  has  a  Hummer 
running  on  it,  and  all  the  hosts  in 
a  domain  are  probably,  but  not 
necessarily,  arranged  in  some  hi¬ 


erarchical  fashion.  Each  domain 
has  a  top-level  manager,  and  those 
managers  may  agree  to  form  peer 
groups  with  top-level  managers 
from  other  domains.  Peer  groups 
can  also  be  formed  among  coop¬ 
erating  systems  at  other  levels.  In 
the  hierarchical  model,  manager 
and  subordinate  systems  do  not 
have  to  be  in  the  same  domain. 

The  Hummers  can  collect  data 
such  as  log  files,  usage  reports, 
commercial  tools,  and  freeware 
security  tools  and  scanners  from 
several  locations  on  their  host  ma¬ 
chine  and  put  the  acquired  data 
into  a  common  format.  However, 
these  capabilities  require  that  ad¬ 
ditional  coding  to  extract  data 
from  the  source  and  then  refor¬ 
mat  it  properly  for  the  Hummer 
to  use  and  distribute,  depending 


on  the  filters  created  by  that  host's 
system  administrator  or  high-level 
managers/administrators.  There- 
formatted  information  is  distrib¬ 
uted,  either  through  the  hierarchy 
or  to  all  the  other  peers  in  the 
peer  group,  The  filter  is  simply  a 
screen  that  determines  which  se¬ 
curity-relevant  information  is  to 
be  shared  with  other  hosts  and 
networks.  T he  filters  can  be  gen¬ 
erated  quickly  through  one  of  the 
user  interfaces. 

Each  Hummer  has  a  World 
Wide  Web-based  interface  for  rela¬ 
tively  easy  configuration  and 
management  operations.  The 
Audit  Tool  Manager  lets  the  user 
pick  which  tools  to  use  at  any 
time.  It  also  offers  preconfigured 
suites  of  tools  for  " Possible  Intru¬ 
sion"  and  "Ongoing  Intrusion” 
alert  levels.  These  resources 
allow  the  operator  to  turn  on  all 
policy-defined  tools  and  respond 


to  a  situation  with  only  a  few 
clicks  of  the  mouse  button.  Once 
a  top-level  manager  has  created  a 
particular  configuration,  he  can 
push  the  configuration,  including 
the  fi  Iters  to  be  used,  out  to  a  1 1  the 
other  Hummers  under  him  in  the 
hierarchy  in  a  few  minutes. 

The  following  scenario  illus¬ 
trates  the  Hummer's  use.  A  De¬ 
partment  of  Energy  (DOE)  re¬ 
search  laboratory  located  near  an 
Army  installation,  an  Air  Force  in¬ 
stallation,  and  a  major  govern¬ 
ment  contractor  has  formed  a 
peer  group  with  the  other  facili¬ 
ties  using  HMMR  so  the  organiza¬ 
tions  may  share  security-related 
information.  Normally,  the  data 
collection,  logging,  and  auditing 
tools  run  in  the  background  at  the 
DOE  lab;  to  avoid  negative  im¬ 
pact  on  the  user  com¬ 
munity,  only  a  small 
subset  of  Hummer 
tools  are  routinely 
turned  on.  One  day, 
however,  an  alert  sys¬ 
tem  administrator 
sees  Hummer-gener¬ 
ated  information 
being  passed  to  her  system  from 
the  Army  instal  lation  and  the  gov¬ 
ernment  contractor,  in  turn,  indi¬ 
cating  they  have  been  subjected  to 
port  scans.  Expecting  her  net¬ 
work  to  be  the  next  likely  target, 
the  system  administrator  turns  on 
additional  logging  immediately, 
confident  that  with  a  few  key¬ 
strokes,  the  more  information  she 
has,  the  better  her  chances  of  in¬ 
hibiting  the  intruder. 

Hummer  represents  only  one 
of  many  areas  in  our  ongoing  re¬ 
search.  The  most  important  area, 
we  believe,  is  developing  a  formal 
trust,  integrity,  and  cooperation 
(TIC)  model  among  hosts  across 
multiple  domains.  We  recognize 
that  data,  or  even  data  requests, 
from  a  peer  may  be  unreliable,  in¬ 
accurate,  or  deliberately  falsified, 
yet  there  remains  a  need  to  use 
available  global  information  to  ac- 
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Secure  Your  Distributed  Network: _ What.  Will  It  Take?. 


by  Robert  Duchatellier 
Lucent  Technologies 


Today's  enterprises  rely  on  the 
World  Wide  Web  to  deliver  timely 
information  to  a  broad  base  of 
users,  branch  offices,  partners,  and 
customers.  As  more  information, 
content,  and  applications  become 
readily  available  via  the  Internet 
and  via  intranets  and  extranets, 
you  must  look  closely  at  the  secu¬ 
rity  requirements  of  your  organiza¬ 
tion's  servers,  systems,  and  net¬ 
works  and  ensure  that  you  protect 
these  critical  assets. 

Intranets,  extranets,  and  the  In¬ 
ternet  are  changing  our  world. 
They  distribute  information  and 
services  to  people,  no  matter 
where  they  are.  But  most  network 
security  systems  were  never  de¬ 
signed  for  distributed  environ¬ 
ments.  As  a  result,  they  cannot  de¬ 
liver  the  scalability  and  manage¬ 
ment  control  needed  to  support 
growth  and  still  remain  secure. 

Web  site  databases  and  other  ap- 
plication  systems  are  compro¬ 
mised  almost  every  day,  some¬ 
times  inadvertently,  sometimes 
with  malicious  intent,  and  some¬ 
times  for  the  so-called  fun  of 
"breaking  in."  No  system  is  ab¬ 
solutely  impervious  to  attack,  from 
both  internal  and  external  individ¬ 
uals  and  groups,  but  you  can  take 
steps  to  protect  your  systems,  and 


you  can  implement  policies  and 
procedures  to  reduce  significantly 
the  threat  of  unauthorized  access. 
One  approach  to  achieving  these 
goals  is  use  of  the  Lucent  Man¬ 
aged  Firewall,  now  available  in 
version  3.0. 

Originally  engineered  by  Bell 
Labs  to  protect  Lucent  Technolo¬ 
gies'  networks,  the  Firewall  is  de¬ 
signed  to  be  intrinsically  secure.  It 
physically  separates  the  security 
and  management  functions  to  im¬ 
prove  each  function's  security  and 
performance. 


erating  systems,  the  Security  Man¬ 
agement  Server  features  an  easy  to 
use  graphical  user  interface  (GUI). 
As  a  result,  network  administrators 
do  not  have  to  be  versed  in  operat¬ 
ing  systems  or  network  configura¬ 
tion  to  manage  the  system. 

The  Brick  uses  native  encryp¬ 
tion  and  authentication  features  to 
communicate  securely  with  the 
Security  Management  Server.  The 
administrator  works  with  the 
Security  Management 
Server  using  encrypt 
ed  sessions  via  indus¬ 


Lucent  Technologies 


The  Lucent  network  security 
appliance,  called  "the  Brick,"  is  a 
bridge-level  device  that  runs  Infer¬ 
no™  operating  system  software,  a 
compact,  real-time  operating  sys¬ 
tem.  The  firewall  code  is  embed¬ 
ded  in  the  Inferno  operating  sys¬ 
tem  kernel.  The  Brick  eliminates 
common  points  of  vulnerability, 
including  user  logins,  files,  hard 
drive,  and  monitor.  The  resulting 
firewal  I  is  hard  to  break  and  easy  to 
maintain. 

The  Security  Management 
Server  software  handles  adminis¬ 
trative  functions.  Available  for 
Windows  NT®  and  Sun  Solaris®  op 


I  Public 
I  Policy 


m 

y  i . 


•r1 


NOC 

Policy 


m 


«  Web  Severs 


Netwsrk 

Operations 


_  _  _J 


Ffaaace 

Network 


PayroUAccoun  ting 
Systems  A 


try-standard  Secure 
Sockets  Layer  (SSL) 
and  Design  Engineering 
Services  (DES)  encrypted  links, 
all  of  which  are  built  in.  Included 
with  the  Lucent  Managed  Fire¬ 
walls  is  a  free  X.509  digital  certifi¬ 
cate  from  VeriSign. 

Additionally,  the  Lucent  Man¬ 
aged  Firewall  is  extremely  scalable 
and  easy  to  deploy.  Most  firewalls 
establish  security  rules  geographi¬ 
cally  or  physically.  Instead,  Lucent 
uses  security  zones  to  establish 
rules  logically.  One  Brick  can  sup¬ 
port  multiple  security  policies  or 
"zones,"  and  each  security  zone 
can  be  set  up  to  have  its  own  dis¬ 
tinct  set  of  rules,  with  report  logs 
and  alarms  customized  for  that 
zone.  Multiple  zones  can  be  man¬ 
aged  centrally  from  one  Security 
Management  Server.  This  ap¬ 
proach  makes  it  easy  for  you  to  en¬ 
force  multiple  security  policies 
across  multiple  Bricks,  regardless 
of  where  your  firewal  Is  are  located. 

The  Lucent  Managed  Firewall 
can  easily  scale  up  to  meet  your 
needs,  no  matter  how  large  they 
become.  As  the  network  grows, 
you  simply  add  Bricks  to  the  Secu¬ 
rity  Management  System.  Because 
the  firewall  appliance  is  imple¬ 
mented  as  a  bridge,  not  a  router, 
you  can  add  new  firewall  appli- 
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IA  Scientific  &  Technical  Information 


by  Robert  P.  Thompson 
Director,  IATAC 


Collection  of  scientific  and  tech¬ 
nical  information  (STI)  is  essential 
to  Information  Analysis  Center 
(IAC)  operations.  The  Information 
Assurance  Technology  Analysis 
Center  (IATAC)  collection  of  Infor¬ 
mation  Assurance  (I A)  STI  focuses 
on  technologies  that  support  the  de¬ 
sign,  development,  testing,  evalua¬ 
tion,  operations,  and  maintenance 
of  Department  of  Defense  (DoD) 
military  systems  and  infrastructure. 
STI  products  and  services  serve  to 
advance  the  knowledge  base  and 
productivity  of  the  DoD  research, 
development,  test,  and  evaluation 
(RDT&E)  community. 

IATAC  taps  many  sources  to  col¬ 
lect  IA  STI.  It  relies  on  direct  inter¬ 
face  with  vendors  supporting  the  I A 
community  as  a  primary  source  of 
information.  Nondisclosure  agree¬ 
ments  with  corporations  yield  infor¬ 
mation  on  emerging  research  and 
development  (R&D).  Release  of  ST  I 
obtained  through  non-disclosure  is 
tightly  controlled  as  delineated  in 
the  agreement  Technical  symposia 
and  conferences  also  provide  infor¬ 
mation,  and  seeks  conference  pro¬ 
ceedings  and  technical  papers  often 
become  part  of  the  STI  Collection. 
IATAC  also  interfaces  with  DoD  and 
other  Federal  Government  agencies 
also  facilitate  receipt  of  new  scien¬ 
tific  and  technical  information. 


Technical  Area  Tasks  also  produce's 
STI  and  helps  to  build  the  I A  collec¬ 
tion.  Finally,  open  source  gathering 
techniques  augment  collection  ac¬ 
tivities.  The  IATAC  collection  offers 
materials  on  a  number  of  IA  STI 
topics,  including  those  listed  below. 

Information  in  the  I A  STI  collec¬ 
tion  is  available  to  registered  De¬ 
fense  Technical  Information  Center 
(DTIC)  users.  Secondary  distribu- 


Command,  Control, 
f  Communications,  Com¬ 
puters  &  Intelligence  (C 41) 

k-:  Computer  Network 
'*  Attacks  (CNA) 

C  Encryption 

%  Fir  aval  Is 

f  Hackers 

c  Information  Assurance 
Information  Operations 


tion  instructions  must  be  strictly  fol¬ 
lowed  to  ensure  compliance  with 
copyright  restrictions.  To  become  a 
registered  DTIC  user,  applicants 
must  complete  DD  Form  1540  avail¬ 
able  from  http://web1.whs.osd.mil/ 
icdhome/DDEFORMS.HTM. 

For  more  information  on  the  I A 
STI  Collection,  contact  IATAC  at 
703.902.3177  or  via  email  at 
iatac@dtic.mil. 


tjr  Information  Warfare 
f  Infrastructure  Assurance 
%  Intrusion  Detection 
|  Malicious  Code  Detection 
I'  Fled  Teaming 
%  Vulnerability  Analysis 
Virus/Anti-Virus 
Year  2000  (Y2K) 


Secure  Your  Network 


ances  at  any  time  without  recon¬ 
figuring  the  router  network. 
With  the  release  of  the  Lucent 
Managed  Firewall  v3.0,  you  can 
also  manage  software  down¬ 
loads  remotely,  saving  time  and 
maintenance  expense. 

The  Lucent  Managed  Firewall 
can  operate  in  a  gateway  perime¬ 
ter  setting  to  protect  an  enterprise 
network  from  the  I  nternet  or  from 
partner  extranet  networks.  It  can 
separate  public  V\feb  servers  from 
sensitive  intranet  servers.  It  can 
also  separate  different  intranet 
segments.  Its  scalability  and  flexi¬ 
bility  can  handle  virtually  any 
type  of  appliction,  as  well  as  any 


continued  from  page  11 
size  and  type  of  infrastructure. 

Your  network  applications  and 
systems  are  only  as  secure  as  the 
weakest  point  of  entry.  To  secure 
your  network,  you  must  design 
the  system  to  provide  distributed 
security,  centralized  management 
and  scalability.  You  must  also  ad¬ 
here  to  strict  policies  and  train 
users  effectively.  Implementing 
these  steps  and  deploying  ad¬ 
vanced  firewall  technology  will 
provide  a  secure  system  to  support 
a  broad  range  of  applications, 
while  minimizing  the  threat  from 
unwelcome  guests.  T hese  compo¬ 
nents  build  the  strong  foundation 
required  to  ensure  maximum  se¬ 


curity  while  they  also  deliver  the 
flexibility  needed  to  grow  your  en¬ 
terprise. 

For  more  information,  contact 
Lucent  Technologies  at  888.552. 
2544  or  on-line  at  http://www.lu- 
cent.com/security. 

Robert  DuchateUier  received  an  MS. 
in  Industrial  and  Applied  Mathematics 
from  Brooklyn  Polytechnics  Institute  and 
an  MS.  in  Technology  Management 
from  Stevens  Institute  of  7 echnolcgv.  Me 
is  curivnhv  Lucent  Technologies'  Lucent 
Managed  Firewall  Sales  Channel 
Manager  for  the  US.  Government 
Department  of  Defense,  and  Federal 
Agencies. 
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JAN 

19-21 


25th  Annual  Computer  Security 
Conference  &  Exhibition 
Sponsored  by  Computer  Security 
Institute  (CSI) 

Chicago,  IL 
call  415.905.2378 

www.gocsi.com 

The  Defense  Technical  Infor  mation 
Center  (OTIC)  Annual  Users 
Meeting  and  Training  Confer  ence 
DoubleTree  Hotel 
National  Airport,  Arlington,  VA 
call  Ms.  Julia  Foscue 
703.767.8236 

jfoscue@dtic.mil 

http://www.dtic.mil 

13th  Annual  Mid-Atlantic 
Intelligence  Symposium 
Sponsored  by  AFCEA  Central 
Maryland  Chapter 

Johns  Hopkins  Applied  Physical  Lab 

(APL),  Laurel,  MD 

call  Dawn  Metzer  410.684.6580 

AFCEA  West  '99 

Sponsored  by  AFCEA  and  the 
U.S.  Naval  Institute 
San  Diego,  CA 

call  the  AFCEA  Programs  Office 
703.631.6125/6126 


MAR 

2-4 


Southeast  C4I  Conference  and 
Exposition 

Sponsored  by  the  AFCEA  Tampa 
—  St.  Petersburg  Chapter 
Tampa,  FL 

call  J.  Spargo  &  Associates 
703.631.6200 


DTICs  Annual  Users  Meeting  &  Training  Conference 

This  year  DTIC  is  hosting  its  25th  Annual  Users 
Meeting  and  Training  Conference.  The  conference 
will  be  held  at  the  DoubleTree  Hotel  National  Air¬ 
port,  300  Army  Navy  Drive,  Arlington,  VA,  from  2-5 
November  1998.  The  agenda  is  packed  full  of  excit¬ 
ing  and  relevant  topics,  as  well  as  an  exhibit  room 
overflowing  with  vendors  from  every  aspect  of  In¬ 
formation  Technology  (IT). 

"Maintaining  the  Information  Edge"  is  the  theme 
for  the  conference,  and  the  sessions  are  geared  to 
this  topic.  DTIC  '98  will  address  the  information 
sources  and  changing  technologies  that  impact  those 
who  are  involved  in  Defense  Research  and  Acquisi¬ 
tion.  We  are  particularly  pleased  to  announce  this 
year's  keynote  speakers:  Lieutenant  General  David 
J.  Kelley,  Director,  Defense  Information  Systems 
Agency;  Mr.  Carol  Cini,  Associate  Director,  U.S.  Gov¬ 
ernment  Printing  Office;  and  Mr.  Richard  Luce,  Di¬ 
rector,  Los  Alamos  Research  Library.  Mr.  Louis  Pur¬ 
nell,  the  luncheon  speaker,  will  be  relating  his  ex¬ 
ploits  during  World  War  II  as  a  Tuskeegee  Airman. 

The  Conference  offers  four  days  of  varied  train¬ 
ing  sessions  that  enable  DTIC  users  to  collaborate  on 
the  latest  IT  topics.  Presentations  will  address  the 
most  current  issues  effecting  the  research,  develop¬ 
ment,  and  acquisition  communities.  Not  only  will 
these  speakers  acquaint  you  with  the  latest  policy 
and  operational  developments,  but  they  will  also 
provide  you  with  practical  details  on  valuable  and  di¬ 
verse  domestic  and  foreign  information  resources, 
security  issues,  the  World  Wide  Web,  virtual  l  ibraries, 
video  streaming  and  the  storage  and  dissemination 
of  electronic  documents. 

Maintaining  the  Information  Edge  presents  excit¬ 
ing  new  challenges  —  DTIC  ’98  promises  to  provide 
the  tools  to  expand  your  horizons  to  meet  these  chal¬ 
lenges!  For  more  information,  please  contact  Ms. 
Julia  Foscue,  the  DTIC  ’98  Conference  Coordinator 
at  703.767.8236  or  via  e-mail:  jfoscue@dtic.mil,  or  ac¬ 
cess  the  DTIC  homepage  at  http://www.dtic.mil. 


Delecting  intrusions 


c  urate  I  y  assess  the  local  security 
posture.  Therefore,  a  formal 
mode!  must  include  multiple  lev¬ 
els  of  cooperation  and  trust  and 
must  provide  concise  definitions 
of  cooperation  and  trust  in  this 
context.  Other  considerations  to 
be  addressed  are  whether  the  co¬ 
operation  levels  should  be  statical¬ 
ly  or  dynamically  assigned  and 
how  quickly  or  gracefully  they 
should  be  adjusted  in  response  to 
the  most  current  data.  The  model 
must  also  take  into  account  the 
various  costs  of  cooperation,  in¬ 
cluding  data  collection,  transmis- 
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continued  from  page  10 

sion,  and  sanitization  and  the  ex¬ 
posure  risk  of  the  local  network. 

While  most  of  the  structure 
has  been  coded  by  undergradu¬ 
ates  (Jamie  Marconi,  Jesse  Mc¬ 
Connell,  Dean  Pol  la,  and  Joel 
Marlow)  so  far,  we  hope  our 
work  on  Project  HMMR  and  our 
future  research  will  encourage 
other  researchers  to  explore 
new  ideas  for  addressing  the 
risks  facing  the  critical  informa¬ 
tion  infrastructure.  We  have 
shown  that  cooperative  intru¬ 
sion  detection  can  be  achieved, 
and  we  believe  it  must  be 


achieved  to  help  ensure  nation¬ 
al  security  in  the  future. 

Donald  Tobin .  is  a  doctoral  student:  at 
the  University  of  Idaho  and  a  research 
assistant  at  the  Center  for  Secure  and 
Dependable  Software.  His  primary 
research  interests  are  in  intrusion  detec¬ 
tion,  neural  networks  and  information 
warfare.  He  is  a  retim'd  Air  Forte  officer 
and  has  worked  with  a  \  ariety  of  com 
munication,  satellite,  and  missile  warn¬ 
ing  systems.  He  earned  his  MS.  in 
Computer  Science  from  Boston 
University  and  his  B.S.  in  Mathematics 
from  the  University  of  Texas. 
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The  Information  Assurance 
(IA)  Tools  Report  on  Firewall 
tools  is  now  available  to  regis¬ 
tered  DTIC  users.  This  report 
provides  an  index  of  firewall 
products  contained  in  the  I A 
Tools  database.  It  summarizes 
pertinent  information,  provid¬ 
ing  users  with  a  brief  descrip¬ 
tion  of  available  tools  and  con¬ 
tact  information.  As  a  living 
document,  this  report  will  be 
updated  periodically  as  addi¬ 
tional  information  is  entered 
into  the  database. 

Currently  the  I A  tools  data¬ 
base  contains  46  firewall  tools 
that  are  available  in  the  com¬ 
mercial  marketplace  or 
through  GSA  contracts.  The 


firewall  products  provide  a  range 
of  solutions  to  meet  various  fire¬ 
wall  requirements.  These  solu¬ 
tions  can  provide  protection  of  in¬ 
ternal  networks  and  provide  se¬ 
cure  Internet  and  remote  access 
connections.  The  database  was 
built  by  gathering  open-source 
data,  analyzing  that  data,  coordi¬ 
nating  with  the  respective  firewall 
developer,  and  then  formatting 
the  data  into  the  final  report.  The 
information  includes  a  basic  de¬ 
scription,  security  services  and 
mechanisms,  availability,  contact, 
and  reseller/  distributors  for  each 
firewall  product  included.  For  in¬ 
structions  on  obtaining  a  copy  of 
this  report,  refer  to  the  IATAC 
Product  Order  Form. 


intrusion  Detection 


I A  Tools  Reports  — 

Vulnerability  Analysis  & 
Intrusion  Detection 

This  IA  Tools  reports  summarize 
pertinent  information,  providing 
users  with  a  brief  description  of 
avai  lable  tools  and  contact  informa¬ 
tion.  As  living  documents,  these 
reports  will  be  updated  periodically 
as  additional  information  is  entered 
into  the  databases. 

Currently  the  Vulnerability 
Analysis  I A  Tools  database  contains 
descriptions  of  35  tools  that  can  be 
used  to  support  vulnerability  and 
risk  assessment.  Research  for  the 
Intrusion  Detection  l  A  Tools  report 
identified  43  intrusion  detection 
tools  currently  employed  and  avail¬ 
able. 


Modeling  &  Simulation 
Technical  Report 

This  report  describes  the  mod¬ 
els,  simulations  and  tools  being 
used  or  developed  by  selected  orga¬ 
nizations  that  are  chartered  with 
the  I A  mission.  T  he  definitions  pre- 
scribed  by  DMSO  for  model  and 
simulation  were  used  to  determine 
what  entities  should  be  included  in 
this  IA  models,  simulations  and 
tools  report. 


Malicious  Code  Detection 
State-Of-The-Art  Report 


This  SOAR  addresses  malicious 
software  detection.  Included  is  a 
taxonomy  for  malicious  software  to 
provide  the  audience  with  a  better 
understanding  of  commercial  mali¬ 
cious  software.  An  overview  of  the 
current  state-of-the-art  commercial 
products  and  initiatives,  as  well  as 
future  trends  is  presented.  The 
same  is  then  done  for  current  state- 
of-the-art  in  regards  to  DoD.  Lastly, 
the  report  presents  observations 
and  assertions  to  support  the  DoD 
as  it  grapples  with  this  problem 
entering  the  21st  century, 
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IMPORTANT  NOTE:  All  IATAC  Products  are  distributed  through  the  Defense  Technical  Information 
Center  (DTIC),  If  you  are  NOT  a  registered  DTIC  user,  you  must  do  so  PRIOR  to  ordering  any  IATAC 
products.  To  register  with  DTIC  go  to  http:llwww.dtic.mil/dticlregprocess.html. 
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DoD  Organization?  G  YES  G  NO  If  NO,  complete  LIMITED  DISTRIBUTION  section  below. 


LIMITED  DISTRIBUTION 


QTY. 


PRICE  EA.  EXTD.  PRICE 


In  order  for  NON-DoD  organizations  to  obtain  LIMITED  DISTRIBUTION  products,  a  formal  written  request  must  be  sent  to 
IAC  Program  Office,  ATTN:  Sherry  Davis,  8725  John  Kingman  Road,  Suite  0944,  Ft.  Belvoir,  VA  22060-6218 


Contract  No. _ 

For  contractors  to  obtain  reports,  request  must  support  a  program  &  be  verified  with  COTR 

COTR _ Phone _ 


□  Modeling  &  Simulation  Technical  Report 

No  Cost 

□  IA  Tools  Report  —  Firewalls 

No  Cost 

G  IA  Tools  Report  —  Intrusion  Detection 

No  Cost 

G  IA  Tools  Report  —  Vulnerability  Analysis 

No  Cost 

G  Malicious  Code  Detection  SOAR  □  TOP  SECRET  □  SECRET 

No  Cost 

Security  POC _  Security  Phone 


UNLIMITED  DISTRIBUTION 

QTY. 

PRICE  EA. 

EXTD.  PRICE 

G  Newsletters  (Limited  number  of  back  issues  available) 

□  Vol.  1,  No.  1  □  Vol.  1  No.  2  □  Vol.  1  No.  3 

□  Vol.  2,  No.  1  □  Vol.  2  No.  2 

No  Cost 

ORDER  TOTAL 

Please  list  the  Government  Program(s)/Project(s)  that  the  product(s)  will  be  used  to  support:. 


Once  completed.  Fax  to  IATAC  at  703.902.3425 
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For  Additions,  Deletions  and  Changes 

—  U.S.  Distribution  Only  — 

Copy  this  page,  complete  the  form  and  fax  to  IATAC  at  703.902.3425 

□  Change  □  Add  □  Delete 

Name _  Title _ 

Company/Org. _ 

Address _ 


City/State _  Zip _ 

Phone _  Fax _ 

DSN _ _ _  E-mail _ 

Organization  (check  one): 

□  USA  □  USN  □  USAF  □  USMC  □  OSD  □  Contractor  □  Other 


Information  Assurance 
Technology  Analysis  Center 
8283  Greensboro  Drive,  Allen  663 
McLean,  VA  22102-3838 


